Password reset not working when there is a hyphen in the hostname

[Binara-Sachin]

Description

When there is a hyphen sign (-) in the hostname, trying to reset the password of a user results in the following error,

[2025-03-05 20:35:37,551] [31534467-1d96-4e63-851d-1e24484f9b6b] ERROR {org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/accountrecoveryendpoint].[confirmrecovery.do]} - Servlet.service() for servlet [confirmrecovery.do] in context with path [/accountrecoveryendpoint] threw exception [An exception occurred processing [/password-recovery-confirm.jsp] at line [63]

60:     try {
61:         if (StringUtils.isNotBlank(callback)) {
62:             PreferenceRetrievalClient preferenceRetrievalClient = new PreferenceRetrievalClient();
63:             isValidCallBackURL = preferenceRetrievalClient.checkIfRecoveryCallbackURLValid(tenantDomain,callback);
64:         }
65:     } catch (PreferenceRetrievalClientException e) {
66:         request.setAttribute("error", true);


Stacktrace:] with root cause java.util.regex.PatternSyntaxException: Illegal character range near index 15
[https://local-host:9443].*[/authenticationendpoint/login.do]*
               ^
        at java.base/java.util.regex.Pattern.error(Pattern.java:2028)
        at java.base/java.util.regex.Pattern.range(Pattern.java:2826)
        at java.base/java.util.regex.Pattern.clazz(Pattern.java:2714)
        at java.base/java.util.regex.Pattern.sequence(Pattern.java:2139)
        at java.base/java.util.regex.Pattern.expr(Pattern.java:2069)
        at java.base/java.util.regex.Pattern.compile(Pattern.java:1783)
        at java.base/java.util.regex.Pattern.<init>(Pattern.java:1429)
        at java.base/java.util.regex.Pattern.compile(Pattern.java:1069)
        at java.base/java.util.regex.Pattern.matches(Pattern.java:1174)
        at java.base/java.lang.String.matches(String.java:2024)
        at java.base/java.util.Optional.filter(Optional.java:223)
        at org.wso2.carbon.identity.mgt.endpoint.util.client.PreferenceRetrievalClient.checkIfRecoveryCallbackURLValid(PreferenceRetrievalClient.java:232)
        at org.apache.jsp.password_002drecovery_002dconfirm_jsp._jspService(password_002drecovery_002dconfirm_jsp.java:246)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466)
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:379)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:327)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:115)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
        at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:119)
        at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:115)
        at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38)
        at org.wso2.carbon.identity.cors.valve.CORSValve.invoke(CORSValve.java:83)
        at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:167)
        at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:118)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:114)
        at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:75)
        at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673)
        at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63)
        at org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)
        at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:389)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:829)

Steps to Reproduce

1. Configure Identity Server with a hyphen in the hostname

Ex:

[server]
hostname = "local-host"

2. Make changes to the etc/hosts file accordingly.
3. Log into the Management Console and enable password reset feature in the resident identity provider configurations.

---

From this point, there are 2 ways to reproduce the error,

Method 01:

• Go to the login page of IS, click the forgot password option, and enter a username.
• This will immediately result in the above error.

Method 02:

• Use the following API to trigger the password reset email.

curl --location 'https://local-host:9443/api/identity/recovery/v0.9/recover-password?type=email&notify=true' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--header 'Content-Type: application/json' \
--data '{
    "user": {
        "username": "binara",
        "realm": "PRIMARY",
        "tenant-domain": "carbon.super"
    },
    "properties": []
}'

• Password reset email will be sent to the user.
• Click on the password reset link

Version

6.1.0

Environment Details (with versions)

No response