feature request #9862
closedcentralized password policy enforcement validator
100%
Description
Currently rules to validate the security of passwords are only implemented in the TaxEditor (eu.etaxonomy.taxeditor.ui.password.PasswordWizardPage.PasswordValidator).
For consistent password security rules a class to validate the password security should be implemented centrally in the cdmlib.
Passay is an often used password policy enforcement library for java
Files
| clipboard-202201211646-6i1sw.png (28.9 KB) clipboard-202201211646-6i1sw.png | |||
| clipboard-202201211648-goxaw.png (22.4 KB) clipboard-202201211648-goxaw.png |
Related issues
Updated by Andreas Kohlbecker over 1 year ago
- Related to feature request #9859: Password Recovery UI added
Updated by Andreas Kohlbecker over 1 year ago
- Status changed from New to Resolved
- % Done changed from 0 to 50
Applied in changeset cdmlib|4b4dfff4929970b5b547c1f21b10359fd3f39c50.
Updated by Andreas Kohlbecker over 1 year ago
the 4b4dfff4 also contains a @ValidPassword annotation which can be used at model classes
please review
Updated by Andreas Kohlbecker over 1 year ago
- Assignee changed from Andreas Kohlbecker to Andreas Müller
Updated by Andreas Müller over 1 year ago
- Status changed from Resolved to Feedback
- Assignee changed from Andreas Müller to Andreas Kohlbecker
- % Done changed from 50 to 80
Generally it works. Some minor issues:
- The validator class should always named like {ValidationAnnotationName}Validator, I did rename it to ValidPasswordValidator
- I added null check as PasswordData throws exception for null value
- I added max length as the password field in the DB only accepts 256 characters (and also the error message does not not look nice if saying '... should be between 8 and 210000000 or so)
- tests were still missing, I added some first tests
Also validation did not yet use hibernate bean validation at all yet. This is necessary for Level1 validation as existing data may create errors otherwise. But we can use Level2 validation already and in future switch to Level1 validation. I added the according annotation to User.password field.
Note: Generally vaadin still seems to workaround the integrated hibernate bean validation by using the public static method in the validator. In future we may want to integrate bean validation deeper into vaadin UIs. For now this is perfectly ok as it allows fast implementation but code is still at the correct place in model.validation.
Please review if you agree with my minor changes.
Updated by Andreas Müller over 1 year ago
One more issue. I wonder if we really need to integrate a full new library for this function. There seem to be simple regex solutions which are more lightweight like here: https://stackoverflow.com/questions/10877668/password-validation-using-hibernate-bean-validation
Updated by Andreas Kohlbecker over 1 year ago
- File clipboard-202201211646-6i1sw.png clipboard-202201211646-6i1sw.png added
- File clipboard-202201211648-goxaw.png clipboard-202201211648-goxaw.png added
- Status changed from Feedback to Resolved
Andreas Müller wrote in #note-8:
One more issue. I wonder if we really need to integrate a full new library for this function. There seem to be simple regex solutions which are more lightweight like here: https://stackoverflow.com/questions/10877668/password-validation-using-hibernate-bean-validation
Password rules can be fairly complex, so that it is not always easily understandable why a password has been rejected. This library helps a lot to identify what is wrong:
passowrd = "aaa"
password = "1aaaaaaaa"
"1aaaaaaaaA" is still not a good password, so it would make sense to add rules for variation, or entropy. This is also supported by this library and nothing you can achieve with regexes.
BTW: I will do the review of your implementation next week.
Updated by Andreas Müller over 1 year ago
Yes I agree, it is probably better although for possible future developments to have a more sophisticated library at hand.
Updated by Andreas Kohlbecker over 1 year ago
- Status changed from Resolved to Closed
- % Done changed from 80 to 100
I agree with your modifications and all open questions are solved, so we can close this ticket now
Updated by Andreas Müller over 1 year ago
- Target version changed from Release 5.40 to Release 5.29