Bug 1062602 - Installer accepts administrative user's password without alphabetic character
Summary: Installer accepts administrative user's password without alphabetic character
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Installer
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ER7
: EAP 6.3.0
Assignee: Ahmed Abu Lawi
QA Contact: Petr Kremensky
Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks: 1063861
TreeView+ depends on / blocked
 
Reported: 2014-02-07 12:44 UTC by Petr Kremensky
Modified: 2015-10-06 02:42 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6 it was found that the graphical installer utility was not honoring the username and password restrictions that govern user creation. This issue has been addressed and the GUI installer now adheres to password and naming restrictions as expected.
Clone Of:
Environment:
Last Closed: 2014-06-28 15:40:08 UTC
Type: Bug


Attachments (Terms of Use)

Description Petr Kremensky 2014-02-07 12:44:09 UTC
Description of problem:
We need to synchronize administrative user&password input validation of installer with add-user utility in EAP.

Version-Release number of selected component (if applicable):
 EAP 6.2.0

How reproducible:
 Always

Steps to Reproduce:
 1. Run either gui or console installation and go to user creation dialogue
 2. Use admin#1 as user name (should be permitted, but isn't), use 1234567! as password (should be forbidden, but isn't)

Actual results:
user:
- username must be alphanumeric
password:
- password min length is 8
- password must contain digit
- password must contain non-alphanumeric character

Expected results:
user:
- no restriction for non-alphanumeric characters on user-name
password:
- password min length is 8
- password must contain alphabetic character
- password must contain digit
- password must contain non-alphanumeric character

Additional info:
Also documentation and add-user utility need update, see BZ1062592

Comment 1 Petr Kremensky 2014-02-07 12:54:55 UTC
Sorry for confusion, there seem to be bug in add-user utility as it accepts aaa@aaa without complaining. Username obviously cannot contain non-alphanumeric character.

Comment 2 Miles Tjandrawidjaja 2014-02-10 20:44:02 UTC
Passwords now satisfy the following constraints
- password min length is 8
- password must contain alphabetic character
- password must contain digit
- password must contain non-alphanumeric character

Note that since passwords must have a non-alphanumeric and usernames cannot contain an non-alphanumeric, the username and password will never match.

http://git.app.eng.bos.redhat.com/jbossas-installer.git/commit/?h=eap-6.2&id=17a0608bc9bee29099458b0dd753330edde12a0f

Comment 3 Petr Kremensky 2014-02-11 07:29:04 UTC
That is correct. I created BZ1063639 to fix the documentation.

Comment 4 Petr Kremensky 2014-02-11 14:49:02 UTC
We should fix also the text on User panel to reflect the change:
id="security.text" txt="Create an administrative user. The user will be added to the ManagementRealm, and can be used to access the Management Console, as well as any other applications secured using the ManagementRealm. The password must have no fewer than 8 characters, and contain at least one number and one non-alphanumeric symbol."

Comment 5 Miles Tjandrawidjaja 2014-02-11 16:40:06 UTC
String has been updated to contain.

Create an administrative user. The user will be added to the ManagementRealm, and can be used to access the Management Console, as well as any other applications secured using the ManagementRealm. The password must have no fewer than 8 characters, and must contain at least one digit, alphabetic character, and non-alphanumeric symbol.

http://git.app.eng.bos.redhat.com/jbossas-installer.git/commit/?h=eap-6.2&id=12f3ae6a5a9c7152694c188e5df6abfec122df9a

Comment 6 Petr Kremensky 2014-04-16 11:24:01 UTC
This is failing also with EAP 6.3.0.ER1 installer.

Comment 7 Petr Kremensky 2014-05-28 10:59:52 UTC
Installer now doesn't accept password without alphabetic symbol, but we should also fix the text (in both gui and console mode).

Actual:
The password must have at least 8 characters, and contain at least one number and one non-alphanumeric symbol.

Expected (We can use the text from documentation):
The password must be at least eight characters long, with one alphabetic character, one digit, and one non-alphabanumeric character.

Comment 9 Petr Kremensky 2014-06-13 12:15:13 UTC
Verified on EAP 6.3.0.ER7 installer.


Note You need to log in before you can comment on or make changes to this bug.