Seems like something shiro could offer, but it doesn't today. that said.... Adding simple regular expression checks can solve password creation to your requirements. Adding password expiry and failed attempts columns to your db is easy, as is changing the query shiro uses to retrieve data. Shiro provides several exception types for handling things like DisabledAccountException, ExcessiveAttemptsException, ExpiredCredentialsException. WebUtils has several powerful methods that allow for smart redirecting.
-d On 27 March 2014 00:51, agilone <[email protected]> wrote: > Hi All, > > I was wondering what is the best way to implement password policy with > Shiro. It might sound unrelated and even outside the scope of Shiro but > [IMHO] I can't think of a security framework without a password policy > feature. You can find the sample policy below. > Currently we are using Shiro version 1.2.2 with JDBC MySQL backend and > Enterprise Cache [memcached]. > Thanks, > > ED > > 1. Password to be at least 8 chars long > 2. Contains at least 1 Capital letter, 1 lower case letter, 1 number or > Special char > 3. Password to be expired every 3 months > 4. Account to be locked after 6 wrong attempts > 5. Account to be unlocked after 15 minutes from the last wrong attempt or > Admin can unlock or use the forgot password feature to update new password > 6. Password has to be changed after password expired before they can login > to see anything > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/How-to-implement-Password-Policy-tp7579842.html > Sent from the Shiro User mailing list archive at Nabble.com. >
