[jboss-jira] [JBoss JIRA] (ELY-376) Password policies

David Lloyd (JIRA) issues at jboss.org
Tue Nov 24 07:28:00 EST 2015 

    [ https://issues.jboss.org/browse/ELY-376?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13133155#comment-13133155 ] 

David Lloyd commented on ELY-376:
---------------------------------

I assume that I wasn't intentionally the assignee here, but either way, I'll give some design opinion. :-)

This, ELY-369, and other things that have come up in discussion are all pointing to a policy layer above the realm where such things could be implemented.  SecurityDomain is the logical target given that the original intention of it was to aggregate all policy (something we've adhered to reasonably well thus far).  However there are limits to what we're equipped to support there at present; for example we have no structural mechanism to accommodate password history.  That is something that would need special support in the realm.  But checking things like password complexity measurement, valid/invalid characters (SASLPrep maybe getting involved here), expiration, and length are all possible.

That said, if we do take this on, as a public service we should forbid or warn about foolish policies, e.g. policies which restrict password length to a short length like 8 or 10 yet require a high password complexity.

> Password policies
> -----------------
>
>                 Key: ELY-376
>                 URL: https://issues.jboss.org/browse/ELY-376
>             Project: WildFly Elytron
>          Issue Type: Feature Request
>          Components: API / SPI, Passwords, Realms
>            Reporter: Darran Lofthouse
>            Assignee: David Lloyd
>             Fix For: 1.1.0.Beta3
>
>
> Probably needs a design discussion first but we need to review where password policies fit in to the overall solution.
> We may say that policy handling is really the responsibility of the actual realm implementation, after all items such as history are going to be very realm specific.
> However there may also be a case in the generic sense that where a modifiable realm is in use a policy is desired to cover the complexity of any passwords set on that realm.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list