Bug 973835
| Summary: | Allow customers to customize login validation and accounts expiration | |||
|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Portal Platform 6 | Reporter: | William Antônio <wsiqueir> | |
| Component: | Portal | Assignee: | Nobody <nobody> | |
| Status: | VERIFIED --- | QA Contact: | ||
| Severity: | low | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 6.0.0 | CC: | bdawidow, epp-bugs, jpallich, laszlo.van.den.hoek, ppalaga, theute, tkyjovsk | |
| Target Milestone: | DR01 | |||
| Target Release: | 6.2.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | 6_2 In_Progress | |||
| Fixed In Version: | Doc Type: | Enhancement | ||
| Doc Text: |
Previously, the password policy for JBoss Portal was static, and could not be customized. Portal administrators could not adjust the policy based on their requirements. The fix implements a configuration option that allows an Administrator to override the default validation by specifying custom password policies through the configuration.properties file.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1072150 (view as bug list) | Environment: | ||
| Last Closed: | Type: | Feature Request | ||
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1072150 | |||
We need to discuss this one with Marek Posolda and decide if it should be done in OrganizationService or at the PicketLink IDM level. Regarding the second part of the ticket (account/password expiration), it's being tracked in another Bugzilla and bdaw can provide more details about it. About the first part, about customizing the rules for password validation, we've had a discussion about the possibilities, and it seems that the best for now would be something as follows: 1) Adapt/extend the current UserConfigurableValidator, which allows the usage of min/max/regex constraints for values based on values from a configuration file, for instance: gatein.validators.mycompanypasspolicy.length.min=5 gatein.validators.mycompanypasspolicy.length.max=50 gatein.validators.mycompanypasspolicy.regexp=... 2) Extend the User Interface to allow the administrator to enter the name of the configuration entry related to the password policy (mycompanypasspolicy , in this case). If this sounds reasonable, I'll go ahead and implement a proposal for this feature. I believe that the regexp approach would cover customer' requirements! It sounds good to me. The above PR was merged in upstream. I tried to apply few custom policies via .../gatein/configuration.properties and it worked fine. @Juraci Do you have the BZ # for the admin UI for selecting the policies? Jared, I've just added a new page on the GateIn documentation, under "Configuration > Configuration of custom data validators", but not sure it's on the right place. https://docs.jboss.org/author/display/GTNPORTAL38/Custom+password+policy Would you please review, and let me know if there's anything else pending for me. |
Description of problem: Currently EPP/JPP only validates passwords by String length. It forces the length to be 6-30. addUIFormInput(new UIFormStringInput(PASSWORD, PASSWORD, null).setType(UIFormStringInput.PASSWORD_TYPE) .addValidator(MandatoryValidator.class).addValidator(PasswordStringLengthValidator.class, 6, 30)); addUIFormInput(new UIFormStringInput(CONFIRM_PASSWORD, CONFIRM_PASSWORD, null).setType(UIFormStringInput.PASSWORD_TYPE) .addValidator(MandatoryValidator.class).addValidator(PasswordStringLengthValidator.class, 6, 30)); Some customers requirements are to add other type of validations as well. For example: - Measure password strength; - rules for password. Other features to the security in general could be added: - Account and password expiration. This RFE is to allow customers to add custom password rules to their JPP installation and also allow account and password expiration settings.