Config editor saves unchecked boolean settings as <default/> instead of <value>false</value>
Description:
When unchecking a boolean setting in the PWM configuration editor (v2.0.8), the XML saves as <default/> rather than <value>false</value>. Since most boolean settings default to true, unchecking a checkbox has no effect so the setting remains functionally enabled.
To Reproduce:
- Open config editor, navigate to any boolean setting (e.g.,
Enforce Word List, Allow Intruder Unlock, Enforce Password Policy During Forgotten Password)
- Uncheck the checkbox
- Save the configuration
- Inspect
PwmConfiguration.xml — the setting contains <default/> instead of <value>false</value>
Example XML after unchecking "Enforce Word List":
<setting key="password.policy.checkWordlist" modifyTime="2026-03-27T20:43:02Z"
modifyUser="..." profile="default" syntax="BOOLEAN" syntaxVersion="0">
<label>Policies ⇨ Password Policies ⇨ default ⇨ Enforce Word List</label>
<default/>
</setting>Expected XML:
<setting key="password.policy.checkWordlist" ...>
<label>...</label>
<value>false</value>
</setting>Impact: This is a silent security issue. Administrators believe they have disabled settings like wordlist enforcement, AD complexity checks, or intruder unlock but the settings remain active. There is no UI indication that the save failed to produce the correct value.
Affected settings: All BOOLEAN syntax settings. I confirmed the bug on security.formNonce.enable, ldap.ad.enforcePwHistoryOnSet, recovery.allowWhenLocked, challenge.allowUnlock, wordlistCaseSensitive, ldap.ad.proxyForgotten, ldap.ad.allowAuth.expired, challenge.caseInsensitive, and others.
Workaround: After saving via the UI, manually edit PwmConfiguration.xml and replace <default/> with <value>false</value> (or <value>true</value>) for the affected settings.
Environment: PWM v2.0.8, Docker (pwm/pwm-webapp), Java 21, Tomcat 9.0.99
Config editor saves unchecked boolean settings as
<default/>instead of<value>false</value>Description:
When unchecking a boolean setting in the PWM configuration editor (v2.0.8), the XML saves as
<default/>rather than<value>false</value>. Since most boolean settings default totrue, unchecking a checkbox has no effect so the setting remains functionally enabled.To Reproduce:
Enforce Word List,Allow Intruder Unlock,Enforce Password Policy During Forgotten Password)PwmConfiguration.xml— the setting contains<default/>instead of<value>false</value>Example XML after unchecking "Enforce Word List":
Expected XML:
Impact: This is a silent security issue. Administrators believe they have disabled settings like wordlist enforcement, AD complexity checks, or intruder unlock but the settings remain active. There is no UI indication that the save failed to produce the correct value.
Affected settings: All BOOLEAN syntax settings. I confirmed the bug on
security.formNonce.enable,ldap.ad.enforcePwHistoryOnSet,recovery.allowWhenLocked,challenge.allowUnlock,wordlistCaseSensitive,ldap.ad.proxyForgotten,ldap.ad.allowAuth.expired,challenge.caseInsensitive, and others.Workaround: After saving via the UI, manually edit PwmConfiguration.xml and replace
<default/>with<value>false</value>(or<value>true</value>) for the affected settings.Environment: PWM v2.0.8, Docker (pwm/pwm-webapp), Java 21, Tomcat 9.0.99