Bug 973835 - Allow customers to customize login validation and accounts expiration
Allow customers to customize login validation and accounts expiration
Status: VERIFIED
Product: JBoss Enterprise Portal Platform 6
Classification: JBoss
Component: Portal (Show other bugs)
6.0.0
Unspecified Unspecified
unspecified Severity low
: DR01
: 6.2.0
Assigned To: Juraci Paixão Kröhling
6_2 In_Progress
:
Depends On:
Blocks: 1072150
  Show dependency treegraph
 
Reported: 2013-06-12 17:51 EDT by William Antônio
Modified: 2015-03-13 04:15 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Previously, the password policy for JBoss Portal was static, and could not be customized. Portal administrators could not adjust the policy based on their requirements. The fix implements a configuration option that allows an Administrator to override the default validation by specifying custom password policies through the configuration.properties file.
Story Points: ---
Clone Of:
: 1072150 (view as bug list)
Environment:
Last Closed:
Type: Feature Request
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker GTNPORTAL-3402 Major Resolved Allow customers to customize login validation and accounts expiration 2017-08-03 06:58 EDT

  None (edit)
Description William Antônio 2013-06-12 17:51:18 EDT
Description of problem:

Currently EPP/JPP only validates passwords by String length. It forces the length to be 6-30. 

   addUIFormInput(new UIFormStringInput(PASSWORD, PASSWORD, null).setType(UIFormStringInput.PASSWORD_TYPE)
         .addValidator(MandatoryValidator.class).addValidator(PasswordStringLengthValidator.class, 6, 30));
      
      addUIFormInput(new UIFormStringInput(CONFIRM_PASSWORD, CONFIRM_PASSWORD, null).setType(UIFormStringInput.PASSWORD_TYPE)
         .addValidator(MandatoryValidator.class).addValidator(PasswordStringLengthValidator.class, 6, 30));


Some customers requirements are to add other type of validations as well. For example:

- Measure password strength;
- rules for password.

Other features to the security in general could be added:

- Account and password expiration. 

This RFE is to allow customers to add custom password rules to their JPP installation and also allow account and password expiration settings.
Comment 3 Boleslaw Dawidowicz 2014-01-09 05:41:11 EST
We need to discuss this one with Marek Posolda and decide if it should be done in OrganizationService or at the PicketLink IDM level.
Comment 4 Juraci Paixão Kröhling 2014-01-22 10:39:00 EST
Regarding the second part of the ticket (account/password expiration), it's being tracked in another Bugzilla and bdaw can provide more details about it. 

About the first part, about customizing the rules for password validation, we've had a discussion about the possibilities, and it seems that the best for now would be something as follows:

1) Adapt/extend the current UserConfigurableValidator, which allows the usage of min/max/regex constraints for values based on values from a configuration file, for instance:

gatein.validators.mycompanypasspolicy.length.min=5
gatein.validators.mycompanypasspolicy.length.max=50
gatein.validators.mycompanypasspolicy.regexp=...

2) Extend the User Interface to allow the administrator to enter the name of the configuration entry related to the password policy (mycompanypasspolicy , in this case). 

If this sounds reasonable, I'll go ahead and implement a proposal for this feature.
Comment 5 William Antônio 2014-01-22 11:26:38 EST
I believe that the regexp approach would cover customer' requirements!

It sounds good to me.
Comment 6 Juraci Paixão Kröhling 2014-03-04 12:18:57 EST
PR: https://github.com/gatein/gatein-portal/pull/796
Comment 7 Peter Palaga 2014-03-11 07:24:10 EDT
The above PR was merged in upstream.
Comment 8 Tomas Kyjovsky 2014-05-28 16:15:47 EDT
I tried to apply few custom policies via .../gatein/configuration.properties and it worked fine.

@Juraci Do you have the BZ # for the admin UI for selecting the policies?
Comment 10 Juraci Paixão Kröhling 2014-09-02 09:58:38 EDT
Jared,

I've just added a new page on the GateIn documentation, under "Configuration > Configuration of custom data validators", but not sure it's on the right place. 

https://docs.jboss.org/author/display/GTNPORTAL38/Custom+password+policy

Would you please review, and let me know if there's anything else pending for me.

Note You need to log in before you can comment on or make changes to this bug.