Versions Compared

Old Version 3

changes.mady.by.user Sumit Pandit

Saved on

compared with

New Version Current

changes.mady.by.user Sumit Pandit

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3
Info
titleJira reference

OFBIZ-4958- Additional Validation for Password : Make password pattern driven

The

Warning

Document is in progress

This document explain about how to configure system to be more secure from unauthorized access. It can be done by setting complicated password policies. It forces As per the rule, it forces to the user to enter the password in per-defined pattern strict string. If password matches with pattern matches then it will execute well, if not then an error message is thrown, which suggesting user about correct password pattern.

Flow : Functional behaviorachievement-

  • Insist Forces user to provide set a stronger login password.
  • User's password is required to match to a pre-defined Pattern.
  • Password pattern is defined in properties file (security.properties) so that it can be derived by company's administrator.
  • Password pattern can change as per company's policy.
  • System validate password pattern in during following two scenario -
    • New user creation
    • User update password.

Configuration : How to configure-

To configure the pattern driven password system, following simple configuration is required-

  1. Configure Proprieties file configuration files - ofbiz/trunk/framework/security/config/security.properties
  2. Field name: security.login.password.pattern : pattern string to be provide here.
    A password pattern string is required.
    1. Default pattern string -
      Code Block
       \^.*(?=.{5,}).*$
      Validation : minimum password length 5 chars.
    2. An Example - A sample pattern string for complicated password
      Pattern String -
      Code Block
       \^.*(?=.{5,})(?=.*\[a-zA-Z\])(?=.*\[\!@#$%^&*\]).*$
      Validation : Password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*.
  3. Alert message to be display at UI
    Field name : security.login.password.pattern.description
    Message text should be a custom UI label string to be provided as per pattern description.
    OR
    A custom error message can be go provided into following UI label "loginservices.password.pattern.errmsg"

Testing : How to Validate-

Password pattern validation can be done in following two ways processes -

  1. New User Registration
    After above configuration done, try to register for a new user through ecommerce or partymgr application, internally . Internally system will check given password with password pattern. If it matches the string then user created successfully otherwise it will return custom returns a error message text specified . Error message will be same as it is configured above.
  2. Update profile - Updating password-
    When user tries to update existing password then for new password, system will validate for pattern matchingthe pattern and process accordingly.

– A Tip from Sumit Pandit
– Thanks Jacques, Scott and Leon for there observations and contributions.