Access to add and change pages is restricted. See: https://cwiki.apache.org/confluence/display/OFBIZ/Wiki+access

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This document explains about how to make system more secure from unauthorized access. To do so, Configure the system by making complicated password policies. It forces the user to enter his password in per-defined pattern. If pattern matches then it executed well, if not then it will throw an error message suggesting user about correct pattern.

Functional behavior-

  • Insist user to provide a stronger login password.
  • User's password is required to match to a pre-defined Pattern.
  • Password pattern is defined in properties file (security.properties) so that it can be derived by company's administrator.
  • Password pattern can change as per company's policy.
  • System validate password pattern in following two scenario -
    • New user creation
    • User update password.

How to configure-

To configure the pattern driven password system following simple configuration is required-

  1. Proprieties file configuration - ofbiz/trunk/framework/security/config/security.properties
  2. Field name: security.login.password.pattern : pattern string to be provide here.
    A password pattern string is required.
    1. Default pattern string - ^.*(?=.
      Unknown macro: {5,}

      ).*$
      Validation : minimum password length 5 chars.

        1. An Example - A sample pattern string for complicated password
          Pattern String - ^.*(?=.
      )(?=.[a-zA-Z])(?=.[!@#$%^&]).$
      Validation : Password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*.
  3. Alert message to be display at UI
    Field name : security.login.password.pattern.description
    Message text should be a custom UI label string to be provided as per pattern description.
    OR
    A custom error message can be go into following UI label "loginservices.password.pattern.errmsg"

How to Validate-

Password pattern validation can be done in following two ways -

  1. New User Registration
    After above configuration done, register for a new user through ecommerce or partymgr application, internally system will check given password with password pattern. If it matches then user created successfully otherwise it will return custom error message text specified above.
  2. Update profile - Updating password-
    When user tries to update existing password then for new password system will validate for pattern matching.
  • No labels