[jira] [Commented] (OFBIZ-4958) Additional Validation for Password : Make password pattern driven

[Sumit Pandit (JIRA)]

    [ 
https://issues.apache.org/jira/browse/OFBIZ-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13429974#comment-13429974
 ] 

Sumit Pandit commented on OFBIZ-4958:
-------------------------------------

Hi Scott, taking your comments. Rephrasing pattern string to make it less 
restrictive.


Given patch will provide following capability to system - 

* Admin can enable/disable pattern based password capability of system. 
Configuration will reside in security.properity file.
** To enable : security.login.password.pattern.enable=true
** To disable: security.login.password.pattern.enable=false 

* Admin is flexible to provide his pattern string by making pattern more/less 
restrictive as per system requirement. Configuration will reside in 
security.properity file.
** To set password pattern string : 
security.login.password.pattern=^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$
*** Where ^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$ is pattern string.

* Admin can provide custom error message string which will display to end user 
if wrong password is entered. Configuration will reside in security.properity 
file.
** To set pattern message : security.login.password.pattern.description=Your 
password must be 5 characters long, Only contains alphanumeric(numeric 
optional) and at-least one of following special characters: !@#$%^&*.


* Recommendation : 
Also I think pattern based password policy should disable by default so that 
admin can enable it as a plug-in.

* Providing patch shortly.

* Please comment if not agree with disabling pattern by-default.



                
> Additional Validation for Password  : Make password pattern driven
> ------------------------------------------------------------------
>
>                 Key: OFBIZ-4958
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4958
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: SVN trunk
>            Reporter: Sumit Pandit
>            Assignee: Jacques Le Roux
>             Fix For: SVN trunk
>
>         Attachments: OFBIZ-4958.patch
>
>
> Providing an additional validation for password  -
> Idea is to achieve following -
> * Insist user to provide a stronger login password for additional protection.
> * User's password need to match a pre-defined Pattern.
> * Password pattern can change any time.
> * Validation should applied for new user creation and update password 
> processes.
> --
> Thanks And Regards
> Sumit Pandit

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira