I wanted to provide an update on this work. We will need to refactor the configuration provided in PasswordPolicyConfiguration since many of the controls are irrelevant to directories other than AD. My inclination is to simply remove them, at least temporarily. That leaves the following controls:
- alwaysDisplayPasswordExpirationWarning - passwordWarningNumberOfDays (removed "default" from name since it's not a default in most cases) - passwordPolicyUrl Everything appears specific to AD. My personal feeling is that there were way too many configuration knobs, and this refactoring simplifies. I'm open to an argument that the controls are needed; in that case we'll need a strategy to accommodate directory-specific configuration. Another benefit of this refactoring is that there's nothing directory-specific about that configuration component, so it can be move to core. That is a good segue into broader design issues. There's now no reason that password policy can't be baked into the default webflow. The PasswordPolicyAction can fire in all cases after form submission and only do something meaningful if a PasswordPolicyConfiguration bean is configured. I believe that will dramatically improve ease of configuration. It also creates a path to implementing password policies for other authentication backends. Somewhat concerning is that the PasswordPolicyAction has apparently been deleted or renamed such that I can't find it. I could pore over the commit log to find it, but simply asking what happened is probably easier. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
