Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

A slightly modified patch from Sumit Pandit for "Additional Validatio…

…n for Password : Make password pattern driven" https://issues.apache.org/jira/browse/OFBIZ-4958

Provides an additional validation for password  with following capability to the system:

Admin can enable/disable pattern based password capability of system. Configuration will reside in security.property file.
 To enable : security.login.password.pattern.enable=true
 To disable: security.login.password.pattern.enable=false

Admin is flexible to provide his pattern string by making pattern more/less restrictive as per system requirement. Configuration will reside in security.property file.
 Example: security.login.password.pattern=^.*(?=. {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$

Admin can provide custom error message string which will display to end user if wrong password is entered. Configuration will reside in security.properity file.

jleroux: I quickly handled the error message localisation for the OOTB case. It's more complicated when the pattern gets complex...


git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk@1418996 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information...
commit 207a145c22bccb8d990d87f076e8c52fdb5f591b 1 parent c7c247e
Jacques Le Roux authored
7 framework/common/config/SecurityextUiLabels.xml
View
@@ -752,6 +752,13 @@
<value xml:lang="en">Password Reminder (${userLoginId})".</value>
<value xml:lang="fr">Rappel du mot de passe (${userLoginId})".</value>
</property>
+ <property key="loginservices.password.pattern.errmsg">
+ <value xml:lang="ar">كلمة السر ليست مطابقة للنمط، يرجى الرجوع النمط التالي: ${passwordPatternMessage}</value>
+ <value xml:lang="en">The password does not match the pattern: ${passwordPatternMessage} </value>
+ <value xml:lang="fr">Le mot de passe ne correspond pas au modèle: ${passwordPatternMessage}.</value>
+ <value xml:lang="hi_IN">पासवर्ड पैटर्न मिलान नहीं है, कृपया निम्नलिखित पैटर्न देखें: ${passwordPatternMessage}</value>
+ <value xml:lang="it">La password non è corrispondente al modello, fare riferimento seguente schema: ${passwordPatternMessage}.</value>
+ </property>
<property key="loginservices.since_datetime">
<value xml:lang="de">(seit ${disabledDateTime})</value>
<value xml:lang="en">since ${disabledDateTime}.</value>
29 framework/common/src/org/ofbiz/common/login/LoginServices.java
View
@@ -23,6 +23,8 @@
import java.util.List;
import java.util.Locale;
import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import javax.transaction.Transaction;
@@ -62,6 +64,8 @@
public static final String module = LoginServices.class.getName();
public static final String resource = "SecurityextUiLabels";
+ public static boolean usePasswordPattern = "true".equals(UtilProperties.getPropertyValue("security.properties", "security.login.password.pattern.enable"));
+ public static String passwordPattern = UtilProperties.getPropertyValue("security.properties", "security.login.password.pattern");
/** Login service to authenticate username and password
* @return Map of results including (userLogin) GenericValue object
@@ -954,10 +958,27 @@ public static void checkNewPassword(GenericValue userLogin, String currentPasswo
}
if (newPassword != null) {
- if (!(newPassword.length() >= minPasswordLength)) {
- Map<String, String> messageMap = UtilMisc.toMap("minPasswordLength", Integer.toString(minPasswordLength));
- errMsg = UtilProperties.getMessage(resource,"loginservices.password_must_be_least_characters_long", messageMap, locale);
- errorMessageList.add(errMsg);
+ // Matching password with pattern
+ if (usePasswordPattern) {
+ Pattern pattern = Pattern.compile(passwordPattern);
+ Matcher matcher = pattern.matcher(newPassword);
+ boolean matched = matcher.matches();
+ if (!matched) {
+ // This is a mix to handle the OOTB pattern which is only a fixed length
+ Map<String, String> messageMap = UtilMisc.toMap("minPasswordLength", Integer.toString(minPasswordLength));
+ String passwordPatternMessage = UtilProperties.getPropertyValue("security.properties",
+ "security.login.password.pattern.description", "loginservices.password_must_be_least_characters_long");
+ errMsg = UtilProperties.getMessage(resource, passwordPatternMessage, messageMap, locale);
+ messageMap = UtilMisc.toMap("passwordPatternMessage", errMsg);
+ errMsg = UtilProperties.getMessage(resource,"loginservices.password.pattern.errmsg", messageMap, locale);
+ errorMessageList.add(errMsg);
+ }
+ } else {
+ if (!(newPassword.length() >= minPasswordLength)) {
+ Map<String, String> messageMap = UtilMisc.toMap("minPasswordLength", Integer.toString(minPasswordLength));
+ errMsg = UtilProperties.getMessage(resource,"loginservices.password_must_be_least_characters_long", messageMap, locale);
+ errorMessageList.add(errMsg);
+ }
}
if (userLogin != null && newPassword.equalsIgnoreCase(userLogin.getString("userLoginId"))) {
errMsg = UtilProperties.getMessage(resource,"loginservices.password_may_not_equal_username", locale);
27 framework/security/config/security.properties
View
@@ -26,6 +26,33 @@ security.context=default
# -- define the password restrictions --
password.length.min=5
+### -- pattern based password OFBIZ-4958
+security.login.password.pattern.enable=true
+security.login.password.pattern=^.*(?=.{5,}).*$
+# This is a mix to handle the localisation of the OOTB pattern which is only a fixed length
+security.login.password.pattern.description=loginservices.password_must_be_least_characters_long
+# -- For More restrictive pattern you can use the following, no localisation-
+#security.login.password.pattern=^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$
+#security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*.
+# Only contains alphanumeric and the following special characters: !@#$%^&*
+# Contains at least 1 of the special characters in the list above
+# The required special character can appear anywhere in the string (for example: !abc, a!bc, abc!)
+# minimum length 5 digit.
+# HELP
+# Start of group
+# (
+# (?=.*\d) # must contains one digit from 0-9
+# (?=.*[a-z]) # must contains one lowercase characters
+# (?=.*[A-Z]) # must contains one uppercase characters
+# (?=.*[!@#$%^&*]) # must contains one special symbols in the list "!@#$%^&*"
+# . # match anything with previous condition checking
+# {5,20} # length at least 5 characters and maximum of 20
+# {5,} # minimum length 5 chars and no linitation to max length.
+# )
+# End of group
+# For further password patterns look at
+# http://docs.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html#sum
+
# -- disable the account after this many logins --
max.failed.logins=3
Please sign in to comment.
Something went wrong with that request. Please try again.