[
https://issues.apache.org/jira/browse/JS2-548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12849223#action_12849223
]
Ate Douma commented on JS2-548:
-------------------------------
I looked at this issue and see the problem.
However, providing a solution which automatically will honor password policy
configuration isn't so simple, especially not as the password validation
(through the CredentialPasswordValidator) itself is "pluggable".
Therefore, I'll provide a pluggable solution for the password generation itself
too which at least allows you to provide your own configuration/implementation
which will match your own password policy configuration.
For this, I'll create a new interface, o.a.j.administration.PasswordGenerator
and extract the current implementation from AdminUtil into a new
o.a.j.administration.SimplePasswordGeneratorImpl.
Furthermore, I'll extend the current implementation to support validating a
generated password against an optionally configured
CredentialPasswordValidator. If it fails, it simply will generate another one
until it validates.
This might not be good enough for your use-case, but at least now you can
either customize, extend or replace this SimplePasswordGeneratorImpl as you
desire to meet your needs.
> Extending password policy to require alternate characters (eg 2 numbers along
> with 4 letters) will fail on auto-password generation for new user
> registration
> -------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: JS2-548
> URL: https://issues.apache.org/jira/browse/JS2-548
> Project: Jetspeed 2
> Issue Type: Bug
> Components: Security
> Affects Versions: 2.0-FINAL
> Environment: All environments
> Reporter: Brad Svee
> Assignee: Ate Douma
> Priority: Minor
> Fix For: 2.2.1
>
>
> The class org.apache.jetspeed.administration.AdminUtil in the Portal
> component has a generatePassword method that is used by the registration
> portlet to create an auto-generated password for new user registration.
> However that funtionality doesn't take into account any additional password
> policy requirements, for example requiring at least 2 numbers in addition to
> several letters, in this case, probability allows for a high success rate on
> succesfully generating proper passwords, but sometimes it will fail
> generating a password without any numbers. Additionally, the password policy
> to require a "funny" character #...@% will never allow a generated password
> to be created, because those characters are not in the password seed set.
> Eventually it would be nice to expose the password policy to the
> administration bean and generate new passwords with the password policy
> configuration in mind.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
