############################################################################### # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. ############################################################################### #### # OFBiz Security Settings #### # -- define the default security context to be user security.context=default # -- define the password restrictions -- password.length.min=5 ### -- pattern based password OFBIZ-4958 security.login.password.pattern.enable=true security.login.password.pattern=^.*(?=.{5,}).*$ # This is a mix to handle the localisation of the OOTB pattern which is only a fixed length security.login.password.pattern.description=loginservices.password_must_be_least_characters_long # -- For More restrictive pattern you can use the following, no localisation- #security.login.password.pattern=^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$ #security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*. # Only contains alphanumeric and the following special characters: !@#$%^&* # Contains at least 1 of the special characters in the list above # The required special character can appear anywhere in the string (for example: !abc, a!bc, abc!) # minimum length 5 digit. # HELP # Start of group # ( # (?=.*\d) # must contains one digit from 0-9 # (?=.*[a-z]) # must contains one lowercase characters # (?=.*[A-Z]) # must contains one uppercase characters # (?=.*[!@#$%^&*]) # must contains one special symbols in the list "!@#$%^&*" # . # match anything with previous condition checking # {5,20} # length at least 5 characters and maximum of 20 # {5,} # minimum length 5 chars and no linitation to max length. # ) # End of group # For further password patterns look at # http://docs.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html#sum # -- disable the account after this many logins -- max.failed.logins=3 # -- number of password change to be saved in UserLoginPasswordHistory. # -- passwords saved in history of userLoginId will not be allowed to be reused. # -- 0 to not save history at all password.change.history.limit=0 # Security Policy : Force user to reset login password in fix number of days - # To enable this functionality need to be a non zero number. And need to set as true. user.auto.change.password.enable=false user.change.password.days=90 user.change.password.notification.days=5 # -- disable the account for this many minutes (if 0, then indefinate) -- login.disable.minutes=5 # -- disable global logout -- login.disable.global.logout=false # -- store a record for each login attempt? -- store.login.history=true store.login.history.on.service.auth=false store.login.history.incorrect.password=true # -- should we encrypt (SHA Hash) the password? -- password.encrypt=true # -- set requirePasswordChange to true, after emailPassword -- password.email_password.require_password_change=true # -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() -- # -- options may include: SHA, MD5, etc password.encrypt.hash.type=SHA # -- this is helpful to recover old accounts or to be able to login at all sometimes -- # -- SHOULD GENERALLY NOT BE TRUE FOR PRODUCTION SITES, but is useful for interim periods when going to password encryption -- password.accept.encrypted.and.plain=false # -- should we convert usernames and passwords to lowercase? (useful for case insensitive usernames and passwords) -- username.lowercase=false password.lowercase=false # -- Use LDAP for user authentication? -- security.ldap.enable=false # -- Fail login if LDAP authentication fails? -- security.ldap.fail.login=false # -- should we allow x509 certificate login security.login.cert.allow=true # -- HTTP header based ID (for integrations; uncomment to enable) #security.login.http.header=REMOTE_USER # -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment to enable) # Use for external authentication solutions like CAS which overload the getRemoteUser method. #security.login.http.servlet.remoteuserlogin.allow=true # -- pattern for the userlogin id in CN section of certificate security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$ # -- Hours after which EmailAdressVerification should expire email_verification.expire.hours=48 # -- Name of the protect-view preprocessor method (this should not change, but in case...) protect-view.preprocessor=java.org.ofbiz.webapp.control.ProtectViewWorker.checkProtectedView # -- Name of the default error response view for protected views ("none:" will be rendered as a blank page, see RequestHandler.java) #default.error.response.view=none: default.error.response.view=view:viewBlocked # If false, then no externalLoginKey parameters will be added to cross-webapp urls security.login.externalLoginKey.enabled=true