jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OAK-1922) Introduce Password Expiry With Max Password Age and On First Login
Date Thu, 03 Jul 2014 16:22:24 GMT

    [ https://issues.apache.org/jira/browse/OAK-1922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14051635#comment-14051635

angela commented on OAK-1922:

great... i had another look and just found minor things (see below) and one issue that i introduced
in patch_2: the UserAuthentication would have always failed for another user implementation
as the lastmod property is not being exposed by User#getProperty because it's protected! i
detected it while extending the expiry specific tests :-)

the minor things:
- cnd still contained the old nt name -> pwd node was never protected that way
- obsolete TODO in UserManagerImplTest
- missing reference to the importer issue
- duplicate test class for the forceinitialpw-test (without expiry)

> Introduce Password Expiry With Max Password Age and On First Login
> ------------------------------------------------------------------
>                 Key: OAK-1922
>                 URL: https://issues.apache.org/jira/browse/OAK-1922
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 1.0, 1.0.1
>            Reporter: Dominique Jäggi
>            Assignee: angela
>             Fix For: 1.1
>         Attachments: OAK-1922_-_Introduce_Password_Expiry_With_Max_Password_Age_and_On_First_Login.patch,
OAK-1922_2.patch, OAK-1922_4.patch, OAK-1922_review.txt
> [~anchela], i am submitting a patch, for the addition of the following features:
> *Password Expiry*
> Administrators should be able to configure passwords to expire within a configurable
amount of time (days). A user whose password has expired can no longer authenticate - a CredentialExpiredException
is thrown.
> *Initial Password Change*
> An administrator should be able to configure the system such that a user is forced to
set a new password upon first login. This is a special form of Password Expiry above, in that
upon creation a user account's password is expired by default.
> *Configuration of Expiry*
> An administrator may enable password expiry and initial password change via the org.apache.jackrabbit.oak.security.user.UserConfigurationImpl
OSGi configuration. By default expiry is disabled. The following configuration options should
be supported:
> * Maximum Password Age (maxPasswordAge, days): when greater 0 enables password expiry
and sets the expiration time in days
> * Enforce Password Change (initialPasswordChange, true|false): when true enables password
change on first login.
> *Definition of Expired Password*
> An expired password is defined as follows:
> * The current date-time is after or on the date-time + maxPasswordAge specified in a
rep:passwordLastModified property
> * OR: Expiry and/or Enforce Password Change is enabled, but no rep:passwordLastModified
property exists
> For the above, a new property definition is required. In order to accommodate the property
as well as future enhancements to password management (such as password policies, history,
et al), the suggestion is to introduce a rep:pw user sub-node, governed by a new rep:Password
node type, enforcing required property restriction.
> The rep:passwords node and the rep:passwordLastModified property must be protected in
order to guard against the user modifying (overcoming) her password expiry. The new sub-node
also has the advantage of allowing repository consumers to e.g. register specific commit hooks
/ actions on such a node.
> In the future the rep:password property on the user node should be migrated to the rep:pw
> *User Creation With Default Expired Password*
> Upon initial creation of a user, the rep:passwordLastModified property is omitted. If
expiry or initialPasswordChange are enabled, the absence of the property will be interpreted
as immediate expiry of the password. When subsequently the user changes her password via User#changePassword,
the rep:passwordLastModified property is set and henceforth interpreted.
> *Authentication Password Expiry Aware*
> A login module should throw a javax.security.auth.login.CredentialExpiredException upon
encountering an expired password. A consumer implementation can then differentiate between
a failed login (due to a wrong password specified) and an expired password, allowing the consumer
to take action, e.g. to redirect to a change password form. In Oak, the Authentication (currently
UserAuthentication) implementation would within its #authenticate() compare the system time
with the value stored in the rep:passwordLastModified and throw a CredentialExpiredException
if now is after or on the date-time specified by the value. In the case of initialPasswordChange
a password is considered expired if no rep:passwordLastModified property can be found on login.
> Both expiry and force initial password change must be checked *after* regular credential
verification, so as to prevent an attacker identifying valid users by being redirected to
a change password form upon expiry.
> kindly accept the patch for review and let me know your feedback.

This message was sent by Atlassian JIRA

View raw message