Jetspeed 2
  1. Jetspeed 2
  2. JS2-548

Extending password policy to require alternate characters (eg 2 numbers along with 4 letters) will fail on auto-password generation for new user registration

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0-FINAL
    • Fix Version/s: 2.2.1
    • Component/s: Security
    • Labels:
      None
    • Environment:
      All environments

      Description

      The class org.apache.jetspeed.administration.AdminUtil in the Portal component has a generatePassword method that is used by the registration portlet to create an auto-generated password for new user registration. However that funtionality doesn't take into account any additional password policy requirements, for example requiring at least 2 numbers in addition to several letters, in this case, probability allows for a high success rate on succesfully generating proper passwords, but sometimes it will fail generating a password without any numbers. Additionally, the password policy to require a "funny" character #$@% will never allow a generated password to be created, because those characters are not in the password seed set. Eventually it would be nice to expose the password policy to the administration bean and generate new passwords with the password policy configuration in mind.

        Activity

        Hide
        Ate Douma added a comment -

        Lets revisit this issue for the 2.2.1 release (not sure if its still valid at all though)

        Show
        Ate Douma added a comment - Lets revisit this issue for the 2.2.1 release (not sure if its still valid at all though)
        Hide
        Ate Douma added a comment -

        I looked at this issue and see the problem.
        However, providing a solution which automatically will honor password policy configuration isn't so simple, especially not as the password validation (through the CredentialPasswordValidator) itself is "pluggable".
        Therefore, I'll provide a pluggable solution for the password generation itself too which at least allows you to provide your own configuration/implementation which will match your own password policy configuration.

        For this, I'll create a new interface, o.a.j.administration.PasswordGenerator and extract the current implementation from AdminUtil into a new o.a.j.administration.SimplePasswordGeneratorImpl.
        Furthermore, I'll extend the current implementation to support validating a generated password against an optionally configured CredentialPasswordValidator. If it fails, it simply will generate another one until it validates.
        This might not be good enough for your use-case, but at least now you can either customize, extend or replace this SimplePasswordGeneratorImpl as you desire to meet your needs.

        Show
        Ate Douma added a comment - I looked at this issue and see the problem. However, providing a solution which automatically will honor password policy configuration isn't so simple, especially not as the password validation (through the CredentialPasswordValidator) itself is "pluggable". Therefore, I'll provide a pluggable solution for the password generation itself too which at least allows you to provide your own configuration/implementation which will match your own password policy configuration. For this, I'll create a new interface, o.a.j.administration.PasswordGenerator and extract the current implementation from AdminUtil into a new o.a.j.administration.SimplePasswordGeneratorImpl. Furthermore, I'll extend the current implementation to support validating a generated password against an optionally configured CredentialPasswordValidator. If it fails, it simply will generate another one until it validates. This might not be good enough for your use-case, but at least now you can either customize, extend or replace this SimplePasswordGeneratorImpl as you desire to meet your needs.
        Hide
        Ate Douma added a comment -

        Above proposed solution committed.

        Show
        Ate Douma added a comment - Above proposed solution committed.

          People

          • Assignee:
            Ate Douma
            Reporter:
            Brad Svee
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development