Database Authentication - Enforcing Password Policies

The database security scheme stores users in a table with their passwords encrypted. Users can change their passwords from the Configuration > Change Password dialog. You want to ensure that the password adheres to your password policies.

Prerequisites

• On-site environments only.
• You must be using database authentication; when you use LDAP, you specify the password policy in your LDAP system.

Process Flow

1. You create a method in a Custom_ library and set REL entry points.
2. You configure the system to call your method every time the user changes his/her password.

Procedure

1. Navigate to Scripting > Libraries, choose Create new Library Object from the context-menu, fill a name into the Name field.
2. Names must start with the Custom_ prefix.
3. On the Sources tab, choose Add and specify your validation code.
4. On the REL Entry Points tab, pecify REL entry points to your validation method.
5. Set the following registry entries:
6. /configuration/security/customValidationRelEntryPoint=Custom_<name>.<entry_point_method>(username,password).
7. /configuration/security/customValidationRunAsUser=<user>.

Example

1. Navigate to _Scripting > Libraries.
2. Choose Create a Library object from the context-menu and fill Custom_PasswdValidation into the Name field.
3. On the Sources tab, choose Add and enter the code below into the Source field.
4. On the REL Entry Points tab, fill the entry points as defined below.
5. Choose Save & Close.
6. Navigate to Configuration > Registry and choose New Registry Key by path from the context-menu of the overview.
7. Fill /configuration/security/customValidationRelEntryPoint into the Path field and Custom_PasswdValidation.validate(username,password) into the Value field; choose Ok.
8. Choose New Registry Key by path from the context-menu of the overview.
9. Fill /configuration/security/customValidationRunAsUser into the Path field and admin into the Value field; choose Ok.

Example Code

package pwValidate;

public class pwTest
{
  public String validate(final String userName, final String password)
  {
    if(! password.matches("(?=.{6,255})(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*\\p{Punct}).*") || password.indexOf(userName) > -1)
    {
      return "Password must be between 6 and 255 characters long and contain a least one digit, one punctuation sign"
      + "(!"\#$%&'()*+,-./:;<=>?@[]^_`{|}~\\), an upper and a lower case letter.\n Password may not contain the username.";
    }
    //password was legal, return null
    return null;
  }
}

The important part here is the regular expression ((?=.{6,255})(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*\\p{Punct}).*):

• (?=.{6,255}) - checks ahead (positive lookahead) for the length of the password, if you wanted 8 to 24 character passwords, for example, you would specify (?=.{8,24}) instead.
• (?=.*[a-z]) - checks ahead for a lower case letter.
• (?=.*[A-Z]) - checks ahead for an upper case letter.
• (?=.*\\d) - checks ahead for a digit.
• (?=.*\\p{Punct}) - checks ahead for a punctuation character according to the POSIX character class (!"#$%&'()*+,-./:;<=>?@[]^_{|}~`), alternatively, you could instead specify (?=.*[,;:!?]) to allow only the characters between the square brackets [], in this case,;:!?.
• .* - matches the whole password for the check, you could also specify ^.*$ instead; this is important and should remain last (the above checks look ahead for the characters in the pattern we specify last)!

If you change the checks, the order of the lookahead's ((?=...)) does not matter, however,.* must be last, ensure the returned message reflects your policy; backslashes must be escaped (specify double backslash \\).

You can see Regex Pattern for more information.

Example REL Entry Points

Name=validate
FQ Class Name=pwValidate.pwTest
Method signature: validate(java.lang.String,java.lang.String)

onsiteTopic