> Is the file you provided working file with you? Well, yes, sort of. The Spring configuration override works fine for me out of the override directory. However, it seems we’ve uncovered several bugs….
I tested this from 4 different features: 1. The Change (Your own) Password portlet - There is a bug here, and it fails to validate, and allows the user to set an invalid password 2. The Old User Manager - it correctly flags the password was bad, but fails to display an error message 3. The New User Manager - There is a bug here, and it fails to validate, and allows the user to set an invalid password 4. User Registration - this works, and displays a message So #1, #2, #3 are broken #2 the password is correctly NOT updated. But the UI doesn’t display an error message. You can validate this by trying to login with new password. #4 works for me Could you please verify my findings with all 4 cases above for the version you are using. I tested against 2.3.2 trunk And, please create a JIRA issue here: https://issues.apache.org/jira/secure/Dashboard.jspa <https://issues.apache.org/jira/secure/Dashboard.jspa> IF you do don’t have an Apache JIRA account, please create one. Create a new issue, and please assign it to me: (username=taylor) Once the issue is created, I can start working on bug fixes. Thanks > On Jul 17, 2017, at 12:47 AM, Elyse Badr <elyse.b...@gotocme.com> wrote: > > Thank you for your reply. > I tried to put the file you attached in the override folder with no luck to > enable the password validation. > I tried on the following screens and I am still able to use any password: > > <image001.png> > > <image002.png> > > I also tried to paste the same files that are in the alternate folder, at > first I was not able to even login with the current password, so I commented > a part that encodes the password and retried, I was able to login but the > password validation was not enabled. > I then tried to put in the override folder only my file which is > security-spi-atn.xml with no luck. > > Is the file you provided working file with you? > > Thanks, > > Elyse BADR > Software Engineer, CME > (O)+961-01-389-392, (M) +961-03-533-179 > elyse.b...@gotocme.com <mailto:elyse.b...@gotocme.com> > > > From: David Sean Taylor [mailto:da...@bluesunrise.com] > Sent: Monday, July 17, 2017 8:36 AM > To: Elyse Badr <elyse.b...@gotocme.com> > Subject: Re: Jetspeed 2.3.0 - Enabling password validation - Request for > support > > I sent a reply to the Jetspeed User list > > https://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201707.mbox/%3c616f649d-5a5d-4424-8623-cf5bfd952...@gmail.com%3E > > <https://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201707.mbox/%3c616f649d-5a5d-4424-8623-cf5bfd952...@gmail.com%3E> > > On Jul 16, 2017, at 10:10 PM, Elyse Badr <elyse.b...@gotocme.com > <mailto:elyse.b...@gotocme.com>> wrote: > >> Hi again, >> >> I sent an email to the following emails: 'jetspeed-user@portals.apache.org >> <mailto:jetspeed-user@portals.apache.org>'; 'jetspeed-...@portals.apache.org >> <mailto:jetspeed-...@portals.apache.org>' >> And I still didn’t get any reply since last Thursday… Am I using the wrong >> list again? >> Can you please advise? >> >> Many thanks in advance.. >> >> Thanks, >> >> Elyse BADR >> Software Engineer, CME >> (O)+961-01-389-392, (M) +961-03-533-179 >> elyse.b...@gotocme.com <mailto:elyse.b...@gotocme.com> >> >> >> From: DavidSeanTaylor [mailto:da...@bluesunrise.com >> <mailto:da...@bluesunrise.com>] >> Sent: Wednesday, July 12, 2017 10:30 PM >> To: Elyse Badr <elyse.b...@gotocme.com <mailto:elyse.b...@gotocme.com>> >> Cc: tay...@apache.org <mailto:tay...@apache.org>; shins...@apache.org >> <mailto:shins...@apache.org>; Ate Douma <a...@apache.org >> <mailto:a...@apache.org>> >> Subject: Re: Jetspeed 2.3.0 - Enabling password validation - Request for >> support >> >> Hi Elyse, >> >> Please send questions to the jetspeed-user list and please do not contact >> people directly. When using the mailing list, not only is it the correct way >> to submit a support question, but you will also get the added benefit of >> having everyone available capable of answering the question. And, others can >> learn from your documented case so they don’t have to ask the question >> again. Finally, I am on vacation, and others on this list may be no longer >> active in the project, so you may not get much help here today :-) >> >> You can sign up for the jetspeed-user list here: >> >> http://portals.apache.org/jetspeed-2/mail-lists.html >> <http://portals.apache.org/jetspeed-2/mail-lists.html> >> >> Thanks, >> >> — >> David >> >>> On Jul 12, 2017, at 6:00 AM, Elyse Badr <elyse.b...@gotocme.com >>> <mailto:elyse.b...@gotocme.com>> wrote: >>> >>> Hi again, >>> >>> I had to decompile the jetspeed-security-2.3.0 jar to get some equivalent >>> names of some implementations… I created my own security-spi-atn.xml, >>> Jetspeed did start successfully, however the validation rules are not >>> applied, and I can try incorrect login password for several times. >>> Please find attached my new configuration file and advice. >>> >>> Awaiting your reply. >>> >>> Thanks, >>> >>> Elyse BADR >>> Software Engineer, CME >>> (O)+961-01-389-392, (M) +961-03-533-179 >>> elyse.b...@gotocme.com <mailto:elyse.b...@gotocme.com> >>> >>> >>> From: Elyse Badr [mailto:elyse.b...@gotocme.com >>> <mailto:elyse.b...@gotocme.com>] >>> Sent: Wednesday, July 12, 2017 2:59 PM >>> To: 'tay...@apache.org <mailto:tay...@apache.org>' <tay...@apache.org >>> <mailto:tay...@apache.org>>; 'shins...@apache.org >>> <mailto:shins...@apache.org>' <shins...@apache.org >>> <mailto:shins...@apache.org>>; 'a...@apache.org <mailto:a...@apache.org>' >>> <a...@apache.org <mailto:a...@apache.org>> >>> Subject: RE: Jetspeed 2.3.0 - Enabling password validation - Request for >>> support >>> >>> Hi support team, >>> >>> <<Note: please feel free to forward my email to any person who can help>> >>> >>> Following up on this, it turned out that the sample configuration defined >>> in Jetspeed 2 documentation link >>> <https://portals.apache.org/jetspeed-2/deployguide/security-config.html#security-spi-atn_xml> >>> for security-spi-atn.xml, is referencing classes not present in Jetspeed >>> jars probably belonging to older versions of Jetspeed (1): >>> >>> <image001.jpg> >>> >>> >>> <image002.jpg> >>> >>> >>> I am using 2.3.0 and I even downloaded 2.3.1 and found out it has the same >>> problem. >>> Can you please provide an updated sample configuration? >>> Awaiting your reply. >>> >>> Thanks, >>> >>> Elyse BADR >>> Software Engineer, CME >>> (O)+961-01-389-392, (M) +961-03-533-179 >>> elyse.b...@gotocme.com <mailto:elyse.b...@gotocme.com> >>> >>> >>> From: Elyse Badr [mailto:elyse.b...@gotocme.com >>> <mailto:elyse.b...@gotocme.com>] >>> Sent: Wednesday, July 12, 2017 12:03 PM >>> To: 'tay...@apache.org <mailto:tay...@apache.org>' <tay...@apache.org >>> <mailto:tay...@apache.org>>; 'shins...@apache.org >>> <mailto:shins...@apache.org>' <shins...@apache.org >>> <mailto:shins...@apache.org>>; 'a...@apache.org <mailto:a...@apache.org>' >>> <a...@apache.org <mailto:a...@apache.org>> >>> Subject: Jetspeed 2.3.0 - Enabling password validation - Request for support >>> >>> Hi Support team, >>> >>> We are using Jetspeed 2.3.0 to deploy our set of portlets applications. I >>> am sharing a problem I am facing in order to provide me with help or hints. >>> We would like to enable password validation rules that are already >>> supported by Jetspeed security. >>> >>> I uncommented some sections in >>> Jetspeed-2.3.0\webapps\jetspeed\WEB-INF\assembly\security-spi-atn.xml and >>> Jetspeed-2.3.0\webapps\jetspeed\WEB-INF\assembly\alternate\credentials\max-password-auth.xml >>> but nothing was happening. >>> I did the same and nothing happened too. >>> >>> I made some research with no luck as no documentation or question related >>> to this topic. In Jetspeed documentation link >>> <https://portals.apache.org/jetspeed-2/deployguide/security-config.html#security-spi-atn_xml> >>> they provide a sample config which is not working too. I am getting >>> java.lang.ClassNotFoundException: >>> org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy >>> Although the jar jetspeed-security is present in the lib folder of the same >>> location: Jetspeed-2.3.0\webapps\jetspeed\WEB-INF\lib >>> >>> Any suggestion from you is welcomed too. >>> We would like to enable the following rules: >>> >>> Set min & max character, alphanumeric count for passwords >>> Set password age [90 days] >>> Set count of password history [last 5 passwords] >>> Set notification period for password change reminder >>> >>> I attached the files I am currently using. Please help. >>> >>> Thanks in advance. >>> >>> Thanks, >>> >>> Elyse BADR >>> Software Engineer, CME >>> (O)+961-01-389-392, (M) +961-03-533-179 >>> elyse.b...@gotocme.com <mailto:elyse.b...@gotocme.com> >>> >>> >>> <security-spi-atn.xml>
