[
https://issues.apache.org/jira/browse/OAK-1922?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dominique Jäggi updated OAK-1922:
---------------------------------
Description:
[~anchela], i am submitting a patch, for the addition of the following features:
*Password Expiry*
Administrators should be able to configure passwords to expire within a
configurable amount of time (days). A user whose password has expired can no
longer authenticate - a CredentialExpiredException is thrown.
*Initial Password Change*
An administrator should be able to configure the system such that a user is
forced to set a new password upon first login. This is a special form of
Password Expiry above, in that upon creation a user account's password is
expired by default.
*Configuration of Expiry*
An administrator may enable password expiry and initial password change via the
org.apache.jackrabbit.oak.security.user.UserConfigurationImpl OSGi
configuration. By default expiry is disabled. The following configuration
options should be supported:
* Maximum Password Age (maxPasswordAge, days): when greater 0 enables password
expiry and sets the expiration time in days
* Enforce Password Change (initialPasswordChange, true|false): when true
enables password change on first login.
*Definition of Expired Password*
An expired password is defined as follows:
* The current date-time is after or on the date-time + maxPasswordAge specified
in a rep:passwordLastModified property
* OR: Expiry and/or Enforce Password Change is enabled, but no
rep:passwordLastModified property exists
For the above, a new property definition is required. In order to accommodate
the property as well as future enhancements to password management (such as
password policies, history, et al), the suggestion is to introduce a rep:pw
user sub-node, governed by a new rep:Password node type, enforcing required
property restriction.
The rep:passwords node and the rep:passwordLastModified property must be
protected in order to guard against the user modifying (overcoming) her
password expiry. The new sub-node also has the advantage of allowing repository
consumers to e.g. register specific commit hooks / actions on such a node.
In the future the rep:password property on the user node should be migrated to
the rep:pw sub-node.
*User Creation With Default Expired Password*
Upon initial creation of a user, the rep:passwordLastModified property is
omitted. If expiry or initialPasswordChange are enabled, the absence of the
property will be interpreted as immediate expiry of the password. When
subsequently the user changes her password via User#changePassword, the
rep:passwordLastModified property is set and henceforth interpreted.
*Authentication Password Expiry Aware*
A login module should throw a
javax.security.auth.login.CredentialExpiredException upon encountering an
expired password. A consumer implementation can then differentiate between a
failed login (due to a wrong password specified) and an expired password,
allowing the consumer to take action, e.g. to redirect to a change password
form. In Oak, the Authentication (currently UserAuthentication) implementation
would within its #authenticate() compare the system time with the value stored
in the rep:passwordLastModified and throw a CredentialExpiredException if now
is after or on the date-time specified by the value. In the case of
initialPasswordChange a password is considered expired if no
rep:passwordLastModified property can be found on login.
Both expiry and force initial password change must be checked *after* regular
credential verification, so as to prevent an attacker identifying valid users
by being redirected to a change password form upon expiry.
kindly accept the patch for review and let me know your feedback.
was:
[~anchela], i am submitting a patch, for the addition of the following features:
*Password Expiry*
Administrators should be able to configure passwords to expire within a
configurable amount of time (days). A user whose password has expired can no
longer authenticate - a CredentialExpiredException is thrown.
*Initial Password Change*
An administrator should be able to configure the system such that a user is
forced to set a new password upon first login. This is a special form of
Password Expiry above, in that upon creation a user account's password is
expired by default.
*Configuration of Expiry*
An administrator may enable password expiry and initial password change via the
org.apache.jackrabbit.oak.security.user.UserConfigurationImpl OSGi
configuration. By default expiry is disabled. The following configuration
options should be supported:
* Maximum Password Age (maxPasswordAge, days): when greater 0 enables password
expiry and sets the expiration time in days
* Enforce Password Change (initialPasswordChange, true|false): when true
enables password change on first login.
*Definition of Expired Password*
An expired password is defined as follows:
* The current date-time is after or on the date-time + maxPasswordAge specified
in a rep:passwordLastModified property
* OR: Expiry and/or Enforce Password Change is enabled, but no
rep:passwordLastModified property exists
For the above, a new property definition is required. In order to accommodate
the property as well as future enhancements to password management (such as
password policies, history, et al), the suggestion is to introduce a rep:pw
user sub-node, governed by a new rep:Password node type, enforcing required
property restriction.
The rep:passwords node and the rep:passwordLastModified property must be
protected in order to guard against the user modifying (overcoming) her
password expiry. The new sub-node also has the advantage of allowing repository
consumers to e.g. register specific commit hooks / actions on such a node.
In the future the rep:password property on the user node should be migrated to
the rep:pw sub-node.
*User Creation With Default Expired Password*
Upon initial creation of a user, the rep:passwordLastModified property is
omitted. If expiry or initialPasswordChange are enabled, the absence of the
property will be interpreted as immediate expiry of the password. When
subsequently the user changes her password via User#changePassword, the
rep:passwordLastModified property is set and henceforth interpreted.
*Authentication Password Expiry Aware*
A login module should throw a
javax.security.auth.login.CredentialExpiredException upon encountering an
expired password. A consumer implementation can then differentiate between a
failed login (due to a wrong password specified) and an expired password,
allowing the consumer to take action, e.g. to redirect to a change password
form. In Oak, the Authentication (currently UserAuthentication) implementation
would within its #authenticate() compare the system time with the value stored
in the rep:passwordLastModified and throw a CredentialExpiredException if now
is after or on the date-time specified by the value.
kindly accept the patch for review and let me know your feedback.
> Introduce Password Expiry With Max Password Age and On First Login
> ------------------------------------------------------------------
>
> Key: OAK-1922
> URL: https://issues.apache.org/jira/browse/OAK-1922
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: security
> Affects Versions: 1.0, 1.0.1
> Reporter: Dominique Jäggi
> Assignee: angela
> Fix For: 1.1
>
> Attachments:
> OAK-1922_-_Introduce_Password_Expiry_With_Max_Password_Age_and_On_First_Login.patch,
> OAK-1922_2.patch, OAK-1922_4.patch, OAK-1922_review.txt
>
>
> [~anchela], i am submitting a patch, for the addition of the following
> features:
> *Password Expiry*
> Administrators should be able to configure passwords to expire within a
> configurable amount of time (days). A user whose password has expired can no
> longer authenticate - a CredentialExpiredException is thrown.
> *Initial Password Change*
> An administrator should be able to configure the system such that a user is
> forced to set a new password upon first login. This is a special form of
> Password Expiry above, in that upon creation a user account's password is
> expired by default.
> *Configuration of Expiry*
> An administrator may enable password expiry and initial password change via
> the org.apache.jackrabbit.oak.security.user.UserConfigurationImpl OSGi
> configuration. By default expiry is disabled. The following configuration
> options should be supported:
> * Maximum Password Age (maxPasswordAge, days): when greater 0 enables
> password expiry and sets the expiration time in days
> * Enforce Password Change (initialPasswordChange, true|false): when true
> enables password change on first login.
> *Definition of Expired Password*
> An expired password is defined as follows:
> * The current date-time is after or on the date-time + maxPasswordAge
> specified in a rep:passwordLastModified property
> * OR: Expiry and/or Enforce Password Change is enabled, but no
> rep:passwordLastModified property exists
> For the above, a new property definition is required. In order to accommodate
> the property as well as future enhancements to password management (such as
> password policies, history, et al), the suggestion is to introduce a rep:pw
> user sub-node, governed by a new rep:Password node type, enforcing required
> property restriction.
> The rep:passwords node and the rep:passwordLastModified property must be
> protected in order to guard against the user modifying (overcoming) her
> password expiry. The new sub-node also has the advantage of allowing
> repository consumers to e.g. register specific commit hooks / actions on such
> a node.
> In the future the rep:password property on the user node should be migrated
> to the rep:pw sub-node.
> *User Creation With Default Expired Password*
> Upon initial creation of a user, the rep:passwordLastModified property is
> omitted. If expiry or initialPasswordChange are enabled, the absence of the
> property will be interpreted as immediate expiry of the password. When
> subsequently the user changes her password via User#changePassword, the
> rep:passwordLastModified property is set and henceforth interpreted.
> *Authentication Password Expiry Aware*
> A login module should throw a
> javax.security.auth.login.CredentialExpiredException upon encountering an
> expired password. A consumer implementation can then differentiate between a
> failed login (due to a wrong password specified) and an expired password,
> allowing the consumer to take action, e.g. to redirect to a change password
> form. In Oak, the Authentication (currently UserAuthentication)
> implementation would within its #authenticate() compare the system time with
> the value stored in the rep:passwordLastModified and throw a
> CredentialExpiredException if now is after or on the date-time specified by
> the value. In the case of initialPasswordChange a password is considered
> expired if no rep:passwordLastModified property can be found on login.
> Both expiry and force initial password change must be checked *after* regular
> credential verification, so as to prevent an attacker identifying valid users
> by being redirected to a change password form upon expiry.
> kindly accept the patch for review and let me know your feedback.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
