In previous versions of JBoss EAP 6, the help output for the `add-user` utility only displayed a single restriction pertaining to passwords (that they not be the same as the username). This could cause confusion when adding new users, as there is more than one restriction in place to ensure valid passwords are used. In this release of the product, the single restriction has been removed from the help text. It now appears, along with other applicable restrictions, in messages displayed when using interactive mode.
Description of problem:
The following is displayed when you type: $ bin/add-user.sh --help
Usage: ./add-user.sh [args...]
where args include:
-a If set add an application user instead
of a management user
-dc <value> Define the location of the domain
-sc <value> Define the location the server config
-up, --user-properties <value> The file name of the user properties
file which can be an absolute path.
-g, --group <value> Comma-separated list of groups for the
-gp, --group-properties <value> The file name of the group properties
file which can be an absolute path. (If
group properties is specified then user
properties MUST also be specified).
-p, --password <value> Password of the user. Should not be
same as the username
-u, --user <value> Name of the user
-r, --realm <value> Name of the realm used to secure the
management interfaces (default is
-s, --silent Activate the silent mode (no output to
-h, --help Display this message and exit
The information for password is not correct. The username can only contain alphanumeric characters, so the password can never match it.
A better usage description for password might be:
It must contain at least 8 characters.
It must contain at least one alphabetic character.
It must contain at least one digit.
It must contain at least one non-alphanumeric symbol
And for user:
It must only contain alphanumeric characters.
See related Bugzilla 1063639.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
I am going to ack this from the perspective of adding a little more information to the help output.
The requirements are actually calculated after reading a configuration file so not entirely sure if we should output the exact requirements in the help text but this text should at least reflect information on how we will decide what enforcements to make.
I'll ask people around security whether these are the correct requirements for user/password.
Re-working as EAP does not actually have a configurable password policy.
Follow up pull request submitted: -
But do also note -
At this point I have removed any output describing "requirements", within EAP the requirements are not configurable so it is potentially possible to update the error message with the statically defined requirements however to do the same would be much more complex upstream as the configuration has to be analysed which is something that does not happen at the time the message is output. This would be a problem meeting our upstream first requirement and also an issue maintaining the behaviour if we port the configuration feature to EAP.
As a second point, users always have the option to use interactive mode if they want a guided experience, in that mode we will be showing all of the requirements at once.
Verified on EAP 6.3.0.DR6.
All password requirements were removed from help message.
Rest of issue is covered by BZ928486 - Requirements for password should be shown at once
Refactored release note text and marked for inclusion in the documentation.
Changed <literal></literal> tags in Doc Text to ticks (`) to fix Bug 1096865