Author: taylor
Date: Tue Jul 7 01:06:06 2015
New Revision: 1689544
URL: http://svn.apache.org/r1689544
Log:
JS2-1330: updating security docs
Modified:
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/credentials.xml
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/security-config.xml
Modified:
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/credentials.xml
URL:
http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/credentials.xml?rev=1689544&r1=1689543&r2=1689544&view=diff
==============================================================================
---
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/credentials.xml
(original)
+++
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/credentials.xml
Tue Jul 7 01:06:06 2015
@@ -57,7 +57,7 @@
<p>
Of the above error codes, the
<code>ERROR_FINAL_LOGIN_ATTEMPT</code> will only be reported if the valve
is configured with the same
<code>maxNumberOfAuthenticationFailures</code> value as used for the
- related
<code>MaxPasswordAuthenticationFailuresInterceptor</code> described above:
+ related
<code>MaxPasswordAuthenticationFailuresInterceptor</code> described above:</p>
<source><![CDATA[
<bean id="loginValidationValve"
class="org.apache.jetspeed.security.impl.LoginValidationValveImpl"
@@ -70,10 +70,43 @@
error code when only one last attempt is possible before the
credential
will be disabled after the next authentication failure.
-->
- <constructor-arg index="0"><value>3</value></constructor-arg>
+ <constructor-arg index="0"><value>3</value></constructor-arg>
+ <constructor-arg index="1">
+ <list>
+ <value>org.apache.jetspeed.powertool.actions</value>
+ </list>
+ </constructor-arg>
</bean>]]>
- </source>
- </p>
+ </source> <p>
+Along with enabling the Login Validation Valve, make sure to add the
MaxPasswordAuthenticationFailuresInterceptor to
+the Credential Policy Manager and ensure the Login Attempts values are in
sync. Out of the box, the MaxPasswordAuthenticationFailuresInterceptor
+ is not configured.
+ </p>
+<source><![CDATA[
+<bean
id="org.apache.jetspeed.security.spi.impl.UserPasswordCredentialPolicyManagerImpl"
+
class="org.apache.jetspeed.security.spi.impl.UserPasswordCredentialPolicyManagerImpl">
+ <meta key="j2:cat" value="default or security" />
+ <constructor-arg index="0"
ref="org.apache.jetspeed.security.CredentialPasswordEncoder" />
+ <constructor-arg index="1"
ref="org.apache.jetspeed.security.CredentialPasswordValidator" />
+ <constructor-arg index="2">
+ <list>
+ <!-- enforce an invalid preset password value in the persisent store
is required to be changed -->
+ <bean
class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"
/>
+ <!-- ensure preset cleartext passwords in the persistent store will
be encoded on first use -->
+ <bean
class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"
/>
+
+ <bean
class="org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor">
+ <constructor-arg index="0"><value>3</value></constructor-arg>
+ </bean>
+
+ <!-- Password Expiration interceptor. Required for enabling password
expirations. This example is set at 30 days -->
+ <bean
class="org.apache.jetspeed.security.spi.impl.PasswordExpirationInterceptor">
+ <constructor-arg
index="0"><value>30</value></constructor-arg>
+ </bean>
+ </list>
+ </constructor-arg>
+ </bean>
+]]></source>
</subsection>
<subsection name="PasswordCredentialValveImpl">
<p>
Modified:
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/security-config.xml
URL:
http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/security-config.xml?rev=1689544&r1=1689543&r2=1689544&view=diff
==============================================================================
---
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/security-config.xml
(original)
+++
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/security-config.xml
Tue Jul 7 01:06:06 2015
@@ -280,58 +280,6 @@ Portal Authentication Configuration bean
The above configuration requires not much more than that a
password should not be
empty and MessageDigest encode it using SHA-1.</p>
<p>
- Before the 2.0-M4 release, Jetspeed came configured with a
much stricter configuration, but for
- first time users of the Portal this was a bit overwelming and
also quite difficult to configure
- differently.</p>
- <p>
- With the 2.0-M4 release, the previously provided, and rather
complex,
- <code>InternalPasswordCredentialInterceptor</code>
implementations are split up in single atomic
- interceptors which can much easier be configured
indepedently.</p>
- <p>
- An overview of the new interceptors and how related request
processing pipeline valves can be
- configured to provide feedback to the user is provided in the
<a href="credentials.html">
- Credentials Management</a> document.</p>
- <p>
- Since the "old" (pre 2.0-M4) interceptors are no longer
provided with Jetspeed, the example below
- shows how to "restore" the old setup using the new
interceptors:</p>
- <source><![CDATA[
-<!-- require a password of minimum length 6 and at least two numeric
characters -->
-<bean id="org.apache.jetspeed.security.spi.CredentialPasswordValidator"
-
class="org.apache.jetspeed.security.spi.impl.SimpleCredentialPasswordValidator">
- <constructor-arg index="0"><value>6</value></constructor-arg>
- <constructor-arg index="1"><value>2</value></constructor-arg>
-</bean>
-
-<!-- allow multiple InternalPasswordCredentialInterceptors to be used for
DefaultCredentialHandler -->
-<bean
id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"
-
class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy">
- <constructor-arg index="0">
- <list>
- <!-- enforce an invalid preset password value in the persisent store
is required to be changed -->
- <bean
class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"/>
-
- <!-- ensure preset cleartext passwords in the persistent store will
be encoded on first use -->
- <bean
class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"/>
-
- <!-- remember the last 3 passwords used and require a new password to
be different from those -->
- <bean
class="org.apache.jetspeed.security.spi.impl.PasswordHistoryInterceptor">
- <constructor-arg index="0"><value>3</value></constructor-arg>
- </bean>
-
- <!-- Automatically expire a password after 60 days -->
- <bean
class="org.apache.jetspeed.security.spi.impl.PasswordExpirationInterceptor">
- <constructor-arg index="0"><value>60</value></constructor-arg>
- </bean>
-
- <!-- Automatically disable a password after 3 invalid authentication
attempts in a row -->
- <bean
class="org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor">
- <constructor-arg index="0"><value>3</value></constructor-arg>
- </bean>
- </list>
- </constructor-arg>
-</bean>]]>
- </source>
- <p>
And, make sure something like the following configuration is
set for the security related valves in
pipelines.xml:</p>
<source><