Jetspeed Proposal: Password Validation and Expiration (draft) Version: $Revision$ Proposed by: Mark Orciuch, Next Generation Solutions, Ltd. (mark_orciuch@ngsltd.com) Status: Initial Proposal Date: September 11, 2002 Overview ======== The purpose of this proposal is to introduce the concept of password validation and automatic password expiration. Password validation allows to define custom set of rules to be enforced on passwords. Approach ======== My proposed approach is to track the date password was last changed. This could be done by one of the following: 1. A new column in TURBINE_USER table. 2. An attribute in user temp storage. Obviously there are pros and cons of both approaches but I would lean towards #1. I would like to put this up to a vote. The TurbineAuthentication class would be responsible for trapping the password expired event and throwing CredentialExpiredException. The JLoginUser would catch this exception and redirect the user to change password screen. I initially wanted to implement password validator functionality but, after giving it more thought, I decided to leave that functionality within TurbineUserManagement.changePassword method. Any custom password validation would be achieved by extending current implementation of CredentialsManagement. Implementation ============== 1. The following classes/templates would be changed: if new column is added, there would be a fair amount of changes to how the security database and peers are created. org.apache.jetspeed.om.security.JetspeedUser - add setPasswordChangedDate() and getPasswordChangedDate() methods. org.apache.jetspeed.om.security.BaseJetspeedUser - implement setPasswordChangedDate() and getPasswordChangedDate() methods. org.apache.jetspeed.services.security.turbine.TurbineUserManagement - modify changePassword() method to set password last changed date in JetspeedUser. org.apache.jetspeed.services.security.turbine.TurbineAuthentication - modify login() method to trap the password expired event and throw CredentialExpiredException. org.apache.jetspeed.modules.actions.JLogin - monitor for CredentialExpiredException and redirect to change-password screen WEB-INF/templates/vm/screens/html/ChangePassword.vm - screen to prompt user for password change 2. The following entries would be added to the JetspeedSecurity.properties: # ------------------------------------------------------------------- # # UserManagement Services # # ------------------------------------------------------------------- .... # # Number of seconds until password expires. For example, # to force users to change their passwords every 30 days, # set it to 2592000 = 1 month (30*24*60*60). To disable # this feature, set it to 0. # # Default: 0 # services.JetspeedSecurity.password.expiration.period=0