This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • Securing user password - Make it pattern driven.

Access to add and change pages is restricted. See: https://cwiki.apache.org/confluence/display/OFBIZ/Wiki+access

Skip to end of metadata
Go to start of metadata

The document explain about how to configure system to be more secure from unauthorized access. It can be done by setting complicated password policies. As per the rule, it forces to the user to enter password in per-defined pattern strict string. If password matches with pattern then it execute well, if not then an error message is thrown, suggesting user about correct password pattern.

Flow : Functional achievement-

  • Forces user to set a stronger login password.
  • User's password is required to match to a pre-defined Pattern.
  • Password pattern is defined in properties file (security.properties) so that it can be derived by company's administrator.
  • Password pattern can change as per company's policy.
  • System validate password pattern during following two scenario -
    • New user creation
    • User update password.

Configuration : How to configure-

To configure the pattern driven password system, following simple configuration is required-

  1. Configure Proprieties files - ofbiz/trunk/framework/security/config/security.properties
  2. Field name: security.login.password.pattern : pattern string to be provide here.
    A password pattern string is required.
    1. Default pattern string -
       \^.*(?=.{5,}).*$  
      Validation : minimum password length 5 chars.
    2. An Example - A sample pattern string for complicated password
      Pattern String -
       \^.*(?=.{5,})(?=.*\[a-zA-Z\])(?=.*\[\!@#$%^&*\]).*$ 
      Validation : Password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*.
  3. Alert message to be display at UI
    Field name : security.login.password.pattern.description
    Message text should be a custom UI label string to be provided as per pattern description.
    OR
    A custom error message can be provided into following UI label "loginservices.password.pattern.errmsg"

Testing : How to Validate-

Password pattern validation can be done in following two processes -

  1. New User Registration
    After above configuration done, try to register for a new user through ecommerce or partymgr application. Internally system will check given password with password pattern. If it matches the string then user created successfully otherwise it returns a error message text. Error message will be same as it is configured above.
  2. Update profile - Updating password-
    When user tries to update existing password then for new password, system will validate the pattern and process accordingly.

– A Tip from Sumit Pandit
– Thanks Jacques, Scott and Leon for there observations and contributions.