[jboss-jira] [JBoss JIRA] (AS7-2756) Implement username / password strength checks

Cheng Fang (JIRA) jira-events at lists.jboss.org
Tue Sep 25 11:34:35 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-2756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12721505#comment-12721505 ] 

Cheng Fang edited comment on AS7-2756 at 9/25/12 11:34 AM:
-----------------------------------------------------------

Is the same strength check applied to management user?  I would assume management user passwords have more stringent requirement, at least should be the same as app user.  But I can create a management user using password that consists of all letters (more than 8 letters).

Can we validate the password immediately after the password is entered, before asking the user to enter a potentially useless password a second time, and before asking the user to assign a role.  Currently the validation kicks in after adding role:

Realm (ApplicationRealm) : 
Username : user1
Password : 
Re-enter Password : 
What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]: 

 * Error * 
JBAS015266: Password must not have atleast one digit.

The above error message is confusing, and that issue is tracked in AS7-5631
                
      was (Author: cfang):
    Is the same strength check applied to management user?  I would assume management user passwords have more stringent requirement, at least should be the same as app user.  But I can create a management user using password that consists of all letters (more than 8 letters).
                  
> Implement username / password strength checks
> ---------------------------------------------
>
>                 Key: AS7-2756
>                 URL: https://issues.jboss.org/browse/AS7-2756
>             Project: Application Server 7
>          Issue Type: Feature Request
>          Components: Domain Management
>            Reporter: Darran Lofthouse
>            Assignee: Bartosz Baranowski
>             Fix For: 7.2.0.Alpha1, Open To Community
>
>         Attachments: 2756.patch
>
>
> The AS 7.1 distribution now contains a utility for adding new users to the property files, this utility contains some very basic checks of the username and password e.g. bad choices of username and disallowing passwords which match the username.
> This Jira is to implement a more advanced check to enforce complexity.
> I believe we should have something along the lines of a util that will take a username and password and will respond ACCEPT, REJECT, or WARN where WARN has a message to display to the user and the user an opportunity to ignore the warning or return to re-entry of the details.
> At some point in the future this could become a management operations so the implementation shouldn't be too constrained to the current command line tool.  
> As a management op we may also want to take into account the user making the request, i.e. a user changing their own password has tighter restrictions than the overall administrator.
> As the add user script is currently stand alone this may be a nice task for someone to undertake who would like to get more familiar with submitting an AS change without needing to get too involved with the internals of the application server at this stage.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list