-
Notifications
You must be signed in to change notification settings - Fork 135
Admin Password and Login Security Configuration
Language: English · සිංහල
This page lists every configuration option that controls password strength, password expiration, password reuse, forced password change, and session timeout in HMIS. All of these are application-level settings — they apply to every institution, department, and user across the installation.
This article is the configuration reference. For the day-to-day user workflow (how an administrator opens the change-password screen, etc.), see Resetting Passwords and Changing User Details.
The same configuration keys are read at three points in the application:
| Where | What the user sees | When the configuration is evaluated |
|---|---|---|
Login page (ez:login, displayed before the user is authenticated) |
Generic Login form with username and password | After the user clicks Login — SessionController.loginActionWithoutDepartment() runs arePasswordRequirementsFulfilled() and may block entry if the password is expired or the user is flagged for reset |
Select Department page (ez:select_department, shown after login when no department is yet selected) |
Select Department card | If the password requirements are not fulfilled, the template redirects to the embedded change-password panel instead of rendering the menu (template.xhtml, passwordRequirementsFulfilled panel) |
Change Password page (/admin/users/change_password.xhtml) |
Three-field form (Name / Username / New Password / Re-enter) with optional Force Password Reset on Next Login button | When the form is rendered (to display the relevant rule text) and when the new password is saved (validation) |
The same logic also fires on the embedded post-login change-password screen (
ezcomp/pages/admin/change_password.xhtml) — that screen prints the active rules ("Password must include uppercase, lowercase, a number, and a special character", "Password must be changed every N days", etc.) directly from these configuration values so users see only the rules that are currently enforced.
- Click Administration → Manage Institutions → Application Options
- Type the Key into the filter box (keys are listed below — copy/paste them verbatim, including underscores and capitalisation)
- Click the row, change the value, save
- Click Reload Config in the header — without a reload, sessions continue to use the cached value
Required privilege:
AdminInstitutions(Admin role recommended)
See the full Application Options reference: Application-Level Configuration.
| Key | Type | Default | What It Does |
|---|---|---|---|
Prevent matching password with username |
Boolean | false |
If true, rejects any password equal to the username. Checked at login and at password change. |
Enforce password complexity |
Boolean | false |
If true, the new password must match the regex below. The change-password screen also lists the rule "Password must include uppercase, lowercase, a number, and a special character" only when this is on. |
Password complexity regex |
Short Text | ^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$ |
The regex applied when complexity is enforced. The default requires: at least 8 characters, one lowercase letter, one uppercase letter, one digit, one of @ $ ! % * ? &. Override with caution — a malformed regex blocks every login. |
Maximum password length: 15 characters. This is hard-coded on the change-password input (
maxlength="15") and is not configurable. Any complexity regex must accept passwords no longer than 15 characters.
| Key | Type | Default | What It Does |
|---|---|---|---|
Enable password expiration |
Boolean | false |
Master switch for the expiry feature. When false, passwords never expire and the days setting is ignored. |
Set password expiration period (days) |
Long (integer) | 30 |
Number of days from the user's lastPasswordResetAt after which the system blocks login with "Password has expired. Please reset your password." Only effective when expiration is enabled. |
The clock starts at the most recent password change, recorded in WebUser.lastPasswordResetAt. If a user has never changed their password since the field was introduced, the value defaults to "now" on first read, so expiry counts from the first login under the new policy rather than from account creation.
| Key | Type | Default | What It Does |
|---|---|---|---|
Allow admin to force password change |
Boolean | false |
If true, the Force Password Reset on Next Login and Reverse Request to Reset Password on Next Login buttons on the admin Change Password screen become clickable. If false, the buttons are visible but disabled. |
When the admin forces a reset, the user's needToResetPassword flag is set on the WebUser record. At the next login, arePasswordRequirementsFulfilled() returns false and the template renders the inline change-password panel until the user supplies a new password.
| Key | Type | Default | What It Does |
|---|---|---|---|
prevent_password_reuse |
Boolean | false |
When true, a new password is rejected if its hash matches any entry in the user's WebUserPasswordHistory within the limit below. |
password_history_limit |
Integer | 5 |
How many most recent previous passwords are checked. A value of 5 blocks reuse of the last five passwords. |
The key
prevent_password_reuseis all-lowercase with underscores — it is not the same as the friendlierPrevent Password Reuseshown in some older documentation. Use the exact lowercase key.
Each successful password change adds an entry to WebUserPasswordHistory and updates lastPasswordResetAt, so the expiration timer and the reuse history stay in sync.
The auto-logout interval is not an Application Option. It is fixed in WEB-INF/web.xml:
<session-config>
<session-timeout>60</session-timeout> <!-- minutes -->
</session-config>- Default: 60 minutes of inactivity (lowered from 180 for patient-data security, issue #19867).
- After expiry the user is redirected to
/timeout.xhtmlwith the message "For security reasons, your session was automatically terminated due to inactivity." - Changing this value requires editing
web.xmland redeploying the WAR through CI/CD — it cannot be toggled from the Application Options screen.
There is no single "correct" combination — pick the strictest set your users can tolerate. A reasonable production baseline:
| Setting | Recommended |
|---|---|
Prevent matching password with username |
true |
Enforce password complexity |
true |
Password complexity regex |
(leave at default) |
Enable password expiration |
true |
Set password expiration period (days) |
60 or 90
|
Allow admin to force password change |
true |
prevent_password_reuse |
true |
password_history_limit |
5 |
For deployments handling clinical or financial data (hospitals, claims processing) all the above should be on.
Prevent matching password with username (Boolean, default false)
Enforce password complexity (Boolean, default false)
Password complexity regex (Short Text, default 8-char mixed regex)
Enable password expiration (Boolean, default false)
Set password expiration period (days) (Long, default 30)
Allow admin to force password change (Boolean, default false)
prevent_password_reuse (Boolean, default false)
password_history_limit (Integer, default 5)
The Allow admin to force password change option is false (the default). Set it to true and click Reload Config.
Either disable Enable password expiration (system-wide) or open Manage Users, select the user, click Manage Password, and set a new password. The save updates lastPasswordResetAt and clears the expiry condition for that user.
Enforce password complexity is false. Switch it on. The default regex enforces 8+ characters with mixed case, digit, and special.
- Verify the key is
prevent_password_reuse(lowercase with underscores), notPrevent Password Reuse. - After enabling, click Reload Config.
- Passwords set before the option was enabled still create history entries from that point forward — older entries are only present if they were captured by a prior change.
The change-password screen shows rule text only when the matching Boolean is true. If a rule is unexpectedly visible or hidden, recheck Enforce password complexity, Enable password expiration, Prevent matching password with username, and Allow admin to force password change and click Reload Config.
- Resetting Passwords and Changing User Details — admin workflow
- Password Reuse Prevention — design notes on the reuse-history feature
- Application-Level Configuration — how to edit any Application Option
- User Access and Security Management — authentication and RBAC overview
- Login — login workflow for end users