[
https://issues.jboss.org/browse/ELY-376?page=com.atlassian.jira.plugin.sy...
]
David Lloyd commented on ELY-376:
---------------------------------
I assume that I wasn't intentionally the assignee here, but either way, I'll give
some design opinion. :-)
This, ELY-369, and other things that have come up in discussion are all pointing to a
policy layer above the realm where such things could be implemented. SecurityDomain is
the logical target given that the original intention of it was to aggregate all policy
(something we've adhered to reasonably well thus far). However there are limits to
what we're equipped to support there at present; for example we have no structural
mechanism to accommodate password history. That is something that would need special
support in the realm. But checking things like password complexity measurement,
valid/invalid characters (SASLPrep maybe getting involved here), expiration, and length
are all possible.
That said, if we do take this on, as a public service we should forbid or warn about
foolish policies, e.g. policies which restrict password length to a short length like 8 or
10 yet require a high password complexity.
Password policies
-----------------
Key: ELY-376
URL:
https://issues.jboss.org/browse/ELY-376
Project: WildFly Elytron
Issue Type: Feature Request
Components: API / SPI, Passwords, Realms
Reporter: Darran Lofthouse
Assignee: David Lloyd
Fix For: 1.1.0.Beta3
Probably needs a design discussion first but we need to review where password policies
fit in to the overall solution.
We may say that policy handling is really the responsibility of the actual realm
implementation, after all items such as history are going to be very realm specific.
However there may also be a case in the generic sense that where a modifiable realm is in
use a policy is desired to cover the complexity of any passwords set on that realm.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)