Merge pull request #879 from Sachin-Mamoru/fix-sec-issue

Fix Incorrect Usename Regex Validation Error Message for Secondary Userstore
wso2-extensions · Nov 26, 2024 · 7a68533 · 7a68533
2 parents 2630019 + 5de16d6
commit 7a68533
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/...main/java/org/wso2/carbon/identity/user/endpoint/impl/ValidateUsernameApiServiceImpl.java b/...main/java/org/wso2/carbon/identity/user/endpoint/impl/ValidateUsernameApiServiceImpl.java
@@ -121,7 +121,7 @@ public Response validateUsernamePost(UsernameValidationRequestDTO user) {
                 logDebug(String.format("%s is an invalid user name. Hence returning code %s: ",
                         username, SelfRegistrationStatusCodes.CODE_USER_NAME_INVALID));
                 errorDTO.setCode(SelfRegistrationStatusCodes.CODE_USER_NAME_INVALID);
-                errorDTO.setMessage(getRegexViolationErrorMsg(user, tenantDomain));
+                errorDTO.setMessage(getRegexViolationErrorMsg(user, tenantDomain, realm));
                 errorDTO.setRef(Utils.getCorrelation());
                 return Response.status(Response.Status.BAD_REQUEST).entity(errorDTO).build();
             } else if (StringUtils.isNotEmpty(realm) && !userSelfRegistrationManager.
@@ -148,10 +148,18 @@ public Response validateUsernamePost(UsernameValidationRequestDTO user) {
         }
     }
 
-    private String getRegexViolationErrorMsg(UsernameValidationRequestDTO user, String tenantDomain)
+    private String getRegexViolationErrorMsg(UsernameValidationRequestDTO user, String tenantDomain, String realm)
             throws UserStoreException {
 
         String userDomain = IdentityUtil.extractDomainFromName(user.getUsername());
+        /*
+         * If the user domain is not specified in the username and the realm property is specified in the request,
+         * the realm property will be used. This will resolve the user domain for secondary user stores.
+         * Otherwise, the user domain will be primary user store.
+         */
+        if (StringUtils.isNotEmpty(realm)) {
+            userDomain = realm;
+        }
         UserRealm userRealm = getUserRealm(tenantDomain);
         RealmConfiguration realmConfiguration = userRealm.getUserStoreManager().getSecondaryUserStoreManager
                 (userDomain).getRealmConfiguration();