Author: taylor
Date: Tue Jul 7 01:06:27 2015
New Revision: 1689545
URL: http://svn.apache.org/r1689545
Log:
JS2-1330: updating security docs
Modified:
portals/site-live/jetspeed-2/deployguide/credentials.html
portals/site-live/jetspeed-2/deployguide/security-config.html
Modified: portals/site-live/jetspeed-2/deployguide/credentials.html
URL:
http://svn.apache.org/viewvc/portals/site-live/jetspeed-2/deployguide/credentials.html?rev=1689545&r1=1689544&r2=1689545&view=diff
==============================================================================
--- portals/site-live/jetspeed-2/deployguide/credentials.html (original)
+++ portals/site-live/jetspeed-2/deployguide/credentials.html Tue Jul 7
01:06:27 2015
@@ -47,7 +47,7 @@
<div class="xleft">
- Last Published: 10 October 2011
+ Last Published: 6 July 2015
</div>
<div class="xright"> <a
href="http://portals.apache.org/applications/";
class="externalLink">Applications</a>
|
@@ -291,8 +291,8 @@
<p>
Of the above error codes, the
<code>ERROR_FINAL_LOGIN_ATTEMPT</code> will only be reported if the valve
is configured with the same
<code>maxNumberOfAuthenticationFailures</code> value as used for the
- related
<code>MaxPasswordAuthenticationFailuresInterceptor</code> described above:
- <div class="source"><pre>
+ related
<code>MaxPasswordAuthenticationFailuresInterceptor</code> described above:</p>
+<div class="source"><pre>
<bean id="loginValidationValve"
class="org.apache.jetspeed.security.impl.LoginValidationValveImpl"
init-method="initialize">
@@ -304,11 +304,46 @@
error code when only one last attempt is possible before the
credential
will be disabled after the next authentication failure.
-->
- <constructor-arg
index="0"><value>3</value></constructor-arg>
+ <constructor-arg
index="0"><value>3</value></constructor-arg>
+ <constructor-arg index="1">
+ <list>
+ <value>org.apache.jetspeed.powertool.actions</value>
+ </list>
+ </constructor-arg>
</bean>
</pre>
</div>
-</p>
+<p>
+Along with enabling the Login Validation Valve, make sure to add the
MaxPasswordAuthenticationFailuresInterceptor to
+the Credential Policy Manager and ensure the Login Attempts values are in
sync. Out of the box, the MaxPasswordAuthenticationFailuresInterceptor
+ is not configured.
+ </p>
+<div class="source"><pre>
+<bean
id="org.apache.jetspeed.security.spi.impl.UserPasswordCredentialPolicyManagerImpl"
+
class="org.apache.jetspeed.security.spi.impl.UserPasswordCredentialPolicyManagerImpl">
+ <meta key="j2:cat" value="default or security" />
+ <constructor-arg index="0"
ref="org.apache.jetspeed.security.CredentialPasswordEncoder" />
+ <constructor-arg index="1"
ref="org.apache.jetspeed.security.CredentialPasswordValidator" />
+ <constructor-arg index="2">
+ <list>
+ <!-- enforce an invalid preset password value in the persisent
store is required to be changed -->
+ <bean
class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"
/>
+ <!-- ensure preset cleartext passwords in the persistent store
will be encoded on first use -->
+ <bean
class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"
/>
+
+ <bean
class="org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor">
+ <constructor-arg
index="0"><value>3</value></constructor-arg>
+ </bean>
+
+ <!-- Password Expiration interceptor. Required for enabling
password expirations. This example is set at 30 days -->
+ <bean
class="org.apache.jetspeed.security.spi.impl.PasswordExpirationInterceptor">
+ <constructor-arg
index="0"><value>30</value></constructor-arg>
+ </bean>
+ </list>
+ </constructor-arg>
+ </bean>
+</pre>
+</div>
</div>
<div class="section"><h3><a
name="PasswordCredentialValveImpl"></a>PasswordCredentialValveImpl</h3>
<p>
@@ -387,7 +422,7 @@
</div>
<div id="footer">
<div class="xright">©
- 2004-2011
+ 2004-2015
Apache Software Foundation
Modified: portals/site-live/jetspeed-2/deployguide/security-config.html
URL:
http://svn.apache.org/viewvc/portals/site-live/jetspeed-2/deployguide/security-config.html?rev=1689545&r1=1689544&r2=1689545&view=diff
==============================================================================
--- portals/site-live/jetspeed-2/deployguide/security-config.html (original)
+++ portals/site-live/jetspeed-2/deployguide/security-config.html Tue Jul 7
01:06:27 2015
@@ -47,7 +47,7 @@
<div class="xleft">
- Last Published: 10 October 2011
+ Last Published: 6 July 2015
</div>
<div class="xright"> <a
href="http://portals.apache.org/applications/";
class="externalLink">Applications</a>
|
@@ -506,59 +506,6 @@ Portal Authentication Configuration bean
The above configuration requires not much more than that a
password should not be
empty and MessageDigest encode it using SHA-1.</p>
<p>
- Before the 2.0-M4 release, Jetspeed came configured with a
much stricter configuration, but for
- first time users of the Portal this was a bit overwelming and
also quite difficult to configure
- differently.</p>
-<p>
- With the 2.0-M4 release, the previously provided, and rather
complex,
- <code>InternalPasswordCredentialInterceptor</code>
implementations are split up in single atomic
- interceptors which can much easier be configured
indepedently.</p>
-<p>
- An overview of the new interceptors and how related request
processing pipeline valves can be
- configured to provide feedback to the user is provided in the
<a href="credentials.html">
- Credentials Management</a> document.</p>
-<p>
- Since the "old" (pre 2.0-M4) interceptors are no
longer provided with Jetspeed, the example below
- shows how to "restore" the old setup using the new
interceptors:</p>
-<div class="source"><pre>
-<!-- require a password of minimum length 6 and at least two numeric
characters -->
-<bean
id="org.apache.jetspeed.security.spi.CredentialPasswordValidator"
-
class="org.apache.jetspeed.security.spi.impl.SimpleCredentialPasswordValidator">
- <constructor-arg
index="0"><value>6</value></constructor-arg>
- <constructor-arg
index="1"><value>2</value></constructor-arg>
-</bean>
-
-<!-- allow multiple InternalPasswordCredentialInterceptors to be used for
DefaultCredentialHandler -->
-<bean
id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"
-
class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy">
- <constructor-arg index="0">
- <list>
- <!-- enforce an invalid preset password value in the persisent
store is required to be changed -->
- <bean
class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"/>
-
- <!-- ensure preset cleartext passwords in the persistent store
will be encoded on first use -->
- <bean
class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"/>
-
- <!-- remember the last 3 passwords used and require a new password
to be different from those -->
- <bean
class="org.apache.jetspeed.security.spi.impl.PasswordHistoryInterceptor">
- <constructor-arg
index="0"><value>3</value></constructor-arg>
- </bean>
-
- <!-- Automatically expire a password after 60 days -->
- <bean
class="org.apache.jetspeed.security.spi.impl.PasswordExpirationInterceptor">
- <constructor-arg
index="0"><value>60</value></constructor-arg>
- </bean>
-
- <!-- Automatically disable a password after 3 invalid
authentication attempts in a row -->
- <bean
class="org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor">
- <constructor-arg
index="0"><value>3</value></constructor-arg>
- </bean>
- </list>
- </constructor-arg>
-</bean>
- </pre>
-</div>
-<p>
And, make sure something like the following configuration is
set for the security related valves in
pipelines.xml:</p>
<div class="source"><pre>
@@ -658,7 +605,7 @@ Portal Authentication Configuration bean
</div>
<div id="footer">
<div class="xright">©
- 2004-2011
+ 2004-2015
Apache Software Foundation
