portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Commented: (JS2-548) Extending password policy to require alternate characters (eg 2 numbers along with 4 letters) will fail on auto-password generation for new user registration
Date Wed, 24 Mar 2010 15:35:27 GMT

    [ https://issues.apache.org/jira/browse/JS2-548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12849223#action_12849223
] 

Ate Douma commented on JS2-548:
-------------------------------

I looked at this issue and see the problem.
However, providing a solution which automatically will honor password policy configuration
isn't so simple, especially not as the password validation (through the CredentialPasswordValidator)
itself is "pluggable".
Therefore, I'll provide a pluggable solution for the password generation itself too which
at least allows you to provide your own configuration/implementation which will match your
own password policy configuration. 

For this, I'll create a new interface, o.a.j.administration.PasswordGenerator and extract
the current implementation from AdminUtil into a new o.a.j.administration.SimplePasswordGeneratorImpl.
Furthermore, I'll extend the current implementation to support validating a generated password
against an optionally configured CredentialPasswordValidator. If it fails, it simply will
generate another one until it validates.
This might not be good enough for your use-case, but at least now you can either customize,
extend or replace this SimplePasswordGeneratorImpl as you desire to meet your needs.

> Extending password policy to require alternate characters (eg 2 numbers along with 4
letters) will fail on auto-password generation for new user registration
> -------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: JS2-548
>                 URL: https://issues.apache.org/jira/browse/JS2-548
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.0-FINAL
>         Environment: All environments
>            Reporter: Brad Svee
>            Assignee: Ate Douma
>            Priority: Minor
>             Fix For: 2.2.1
>
>
> The class org.apache.jetspeed.administration.AdminUtil in the Portal component has a
generatePassword method that is used by the registration portlet to create an auto-generated
password for new user registration. However that funtionality doesn't take into account any
additional password policy requirements, for example requiring at least 2 numbers in addition
to several letters, in this case, probability allows for a high success rate on succesfully
generating proper passwords, but sometimes it will fail generating a password without any
numbers.  Additionally, the password policy to require a "funny" character #$@% will never
allow a generated password to be created, because those characters are not in the password
seed set.   Eventually it would be nice to expose the password policy to the administration
bean and generate new passwords with the password policy configuration in mind.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message