Hi Isura, I have one concern , please read the inline comments.
On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne <[email protected]> wrote: > HI all, > > I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following > are the currently identified improvements, > > > - Password History - > > Last 'n' number of passwords need to be maintained in user's history. When > user updates his password we don't allow him to choose one of these 'n' > passwords again. > > > - Periodic Password Reset - > > Force the user to periodically (configurable period) reset his password. > When doing this we need to leverage the password history feature as well. > > > > CREATE TABLE IF NOT EXISTS idn_password_history_data > ( > user_name *VARCHAR*(255) NOT NULL, > user_domain *VARCHAR*(255) NOT NULL, > tenant_id *INTEGER* DEFAULT -1, > hash *VARCHAR*(255) NOT NULL, > time_created *TIMESTAMP* NOT NULL DEFAULT > CURRENT_TIMESTAMP, > PRIMARY KEY (user_name,user_domain,tenant_id, > hash), > ) > > > All the passwords which are supposed to store in this table are old > passwords (expired). > > - I think we don't need to use the same password hashing algorithm (with > or without salted value) which is defined user-mgt.xml for password history > validation. > - admin users can change other user's passwords without giving their old > passwords. In that case, how can we find the old password hash value to > store for password history validation? > > *Do we allow to change user password by the admin user ? Is that correct practice ?* > > Your comments and suggestions are highly appreciated. > > Thanks > Isura. > > > Isura Dilhara Karunaratne > Senior Software Engineer > > Mob +94 772 254 810 > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
