Hi Danny,
I am aware of these password-extra functions and that is how I am capturing the
information when the password last changed.
The issue is on what URI should I register my plugin so that It gets invoked
whenever a user tries to login to the app server? Registering against
password-check namespace does not do my job.
I have written this plugin earlier. But this one does not get invoked when the
user is logging. This one only gets invoked whenever there is password update
happening through admin UI or security functions.
password-force-change.xqy
[Text Box: xquery version "1.0-ml"; import module namespace secmod =
"http://marklogic.com/xdmp/security"; at "/MarkLogic/security.xqy";
import module namespace mem = "http://xqdev.com/in-mem-update"; at
"/MarkLogic/appservices/utils/in-mem-update.xqy"; (: Copyright 2002-2015
MarkLogic Corporation. All Rights Reserved. :) declare namespace sec =
"http://marklogic.com/xdmp/security";; declare namespace pwd =
"http://marklogic.com/extension/plugin/password-force-change";; import module
namespace plugin = "http://marklogic.com/extension/plugin"; at
"/MarkLogic/plugin/plugin.xqy"; declare default function namespace
"http://www.w3.org/2005/xpath-functions";; (: Returns the empty sequence if
the password passes the tests. Returns an explanation if it fails. If
old-password is an empty string, this is the first password or a password
set by an administrator. Captures the lass password change information:)
declare function pwd:force-change( $old-password as xs:string, $password
as xs:string, $user as element(sec:user)) as xs:string? { let
$password-extra := $user/sec:password-extra let $last-changedon :=
$password-extra/sec:password-changedon (:Check if the lastchanged password
is more than 90 days back or not. For those user xmls that do not have this
lastchanged on value, the last changed date will be set as today:) let
$is-valid := if(fn:exists($last-changedon)) then
let $days :=fn:tokenize(xs:string(fn:current-date() -
xs:date($last-changedon/text())),'[^0-9]+')[2]
let $_ := xdmp:log(("days", $days))
return if(xs:int($days) >90 )then
fn:false() else
fn:true() else
fn:true() return if ($is-valid) then
if($old-password ne $password) then try{ let
$new-password-extra := if(fn:exists($last-changedon)) then
mem:node-replace($password-extra/sec:password-changedon/text(), text
{fn:current-date() } )/sec:password-extra
else
mem:node-insert-child($password-extra, element sec:password-changedon {
fn:current-date()})/sec:password-extra return
secmod:user-set-password-extra($user/sec:user-name/text(), $new-password-extra)
} catch($e) {(xdmp:log($e),$e) } else () else
"password must be changed since it is more than 90 days since last changed" };
let $map := map:map(), $_ := map:put($map,
"http://marklogic.com/xdmp/security/password-check";,
xdmp:function(xs:QName("pwd:force-change"))) return plugin:register($map,
"password-force-change.xqy")]
From: [email protected]
[mailto:[email protected]] On Behalf Of Danny Sokolsky
Sent: Friday, August 14, 2015 2:43 PM
To: MarkLogic Developer Discussion
Subject: Re: [MarkLogic Dev General] How to force a user to change password if
the last password change date is more than 90days
There is an api sec:user-set-password-extra and the corresponding getter:
http://docs.marklogic.com/sec:user-set-password-extra
http://docs.marklogic.com/sec:user-get-password-extra
That allows you to squirrel away information in the password document stored in
the secutity database. You can use this to key some logic off of. For
example, you can put the current date in the sec:password-extra element, then
write a plugin that tests for how long it has been. I don't have any code that
does that off the top of my head, but I think you should be able to write that.
-Danny
From:
[email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Sudheer
Yalaverthi
Sent: Friday, August 14, 2015 11:32 AM
To: MarkLogic Developer Discussion
Subject: [MarkLogic Dev General] How to force a user to change password if the
last password change date is more than 90days
Hi,
On my application server, I would like to enforce a password change for every
90days. If a user tries to access the app server or any resources on this
server, I would like to be able to show a message that password is expired
(though there is no password expiry in MarkLogic) as last change date is more
than 90days.
MarkLogic by default does not capture the last password change date but I
captured it using a password plug-in with an element password-lastchangedon as
child to password- extra element.
I would like to use the authentication scheme as basic but still be able to
validate this value whenever a user tries to login.
Plug-ins registered under http://marklogic.com/xdmp/security/password-check are
invoked only when passwords are updated.
Is there a way I can achieve to validate the last change date with basic scheme
of authentication whenever a user tries to login to the app server?
Regards,
Sudheer Yalaverthi
---
This communication may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this communication in
error) please notify the sender immediately and destroy this communication. Any
unauthorized copying, disclosure or distribution of the material in this
communication is strictly forbidden.
Deutsche Bank does not render legal or tax advice, and the information
contained in this communication should not be regarded as such.
---
This communication may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this communication in
error) please notify the sender immediately and destroy this communication. Any
unauthorized copying, disclosure or distribution of the material in this
communication is strictly forbidden.
Deutsche Bank does not render legal or tax advice, and the information
contained in this communication should not be regarded as such.
_______________________________________________
General mailing list
[email protected]
Manage your subscription at:
http://developer.marklogic.com/mailman/listinfo/general
