>
> You could require that the current password be provided in order to edit
> an existing user, then you can check whether the pre-encrypted password
> matches your rules, and that the post-encrypted password matches their
> current password. If either of those fail the edit can be rejected.
>
> Of course, this makes it much more difficult for an administrator to
> edit a user (unless they happen to know the password), so you could
> either require the admin's current password in this case, or simply skip
> these checks if the current user is an admin.
>
> -Dale
>
Thanks for the suggestion Dale.
I ended up implementing the validation in the business layer.
Here's how.
public class UserPasswordValidation implements Validator{
public boolean supports(Class clazz) {
return clazz.equals(FileUpload.class);
}
public void validate(Object target, Errors errors) {
User user = (User) target;
Pattern pattern =
Pattern.compile("^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])[0-9a-zA-Z]{6,20}$");
Matcher matcher = pattern.matcher(user.getPassword());
if (!matcher.find()) {
errors.reject("password");
}
}
}
Here's the UserManagerImpl saveUser method
.......
// If password was changed (or new user), encrypt it
if (passwordChanged) {
BindException errors = new BindException(user, "user");
new UserPasswordValidation().validate(user, errors);
if(errors.hasErrors()){
throw new UserPasswordException("Validation failed!");
}
user.setPassword(passwordEncoder.encodePassword(user.getPassword(), null));
}
And in the UserFormController I added a new catch
......
try {
getUserManager().saveUser(user);
}
catch(UserPasswordException e){
errors.reject("errors.password");
return showForm(request, response, errors);
}
--
View this message in context:
http://www.nabble.com/User-Password-strength-tp15459586s2369p15547043.html
Sent from the AppFuse - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
