[
https://issues.apache.org/jira/browse/OAK-1922?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
angela resolved OAK-1922.
-------------------------
Resolution: Fixed
committed patch4 with the mentioned modifications at r1607693
> Introduce Password Expiry With Max Password Age and On First Login
> ------------------------------------------------------------------
>
> Key: OAK-1922
> URL: https://issues.apache.org/jira/browse/OAK-1922
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: security
> Affects Versions: 1.0, 1.0.1
> Reporter: Dominique Jäggi
> Assignee: angela
> Fix For: 1.1
>
> Attachments:
> OAK-1922_-_Introduce_Password_Expiry_With_Max_Password_Age_and_On_First_Login.patch,
> OAK-1922_2.patch, OAK-1922_4.patch, OAK-1922_review.txt
>
>
> [~anchela], i am submitting a patch, for the addition of the following
> features:
> *Password Expiry*
> Administrators should be able to configure passwords to expire within a
> configurable amount of time (days). A user whose password has expired can no
> longer authenticate - a CredentialExpiredException is thrown.
> *Initial Password Change*
> An administrator should be able to configure the system such that a user is
> forced to set a new password upon first login. This is a special form of
> Password Expiry above, in that upon creation a user account's password is
> expired by default.
> *Configuration of Expiry*
> An administrator may enable password expiry and initial password change via
> the org.apache.jackrabbit.oak.security.user.UserConfigurationImpl OSGi
> configuration. By default expiry is disabled. The following configuration
> options should be supported:
> * Maximum Password Age (maxPasswordAge, days): when greater 0 enables
> password expiry and sets the expiration time in days
> * Enforce Password Change (initialPasswordChange, true|false): when true
> enables password change on first login.
> *Definition of Expired Password*
> An expired password is defined as follows:
> * The current date-time is after or on the date-time + maxPasswordAge
> specified in a rep:passwordLastModified property
> * OR: Expiry and/or Enforce Password Change is enabled, but no
> rep:passwordLastModified property exists
> For the above, a new property definition is required. In order to accommodate
> the property as well as future enhancements to password management (such as
> password policies, history, et al), the suggestion is to introduce a rep:pw
> user sub-node, governed by a new rep:Password node type, enforcing required
> property restriction.
> The rep:passwords node and the rep:passwordLastModified property must be
> protected in order to guard against the user modifying (overcoming) her
> password expiry. The new sub-node also has the advantage of allowing
> repository consumers to e.g. register specific commit hooks / actions on such
> a node.
> In the future the rep:password property on the user node should be migrated
> to the rep:pw sub-node.
> *User Creation With Default Expired Password*
> Upon initial creation of a user, the rep:passwordLastModified property is
> omitted. If expiry or initialPasswordChange are enabled, the absence of the
> property will be interpreted as immediate expiry of the password. When
> subsequently the user changes her password via User#changePassword, the
> rep:passwordLastModified property is set and henceforth interpreted.
> *Authentication Password Expiry Aware*
> A login module should throw a
> javax.security.auth.login.CredentialExpiredException upon encountering an
> expired password. A consumer implementation can then differentiate between a
> failed login (due to a wrong password specified) and an expired password,
> allowing the consumer to take action, e.g. to redirect to a change password
> form. In Oak, the Authentication (currently UserAuthentication)
> implementation would within its #authenticate() compare the system time with
> the value stored in the rep:passwordLastModified and throw a
> CredentialExpiredException if now is after or on the date-time specified by
> the value. In the case of initialPasswordChange a password is considered
> expired if no rep:passwordLastModified property can be found on login.
> Both expiry and force initial password change must be checked *after* regular
> credential verification, so as to prevent an attacker identifying valid users
> by being redirected to a change password form upon expiry.
> kindly accept the patch for review and let me know your feedback.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
