Enforce Password Policy

A Password Policy defines a set of rules to determine whether a new password is valid or not.

For Subscription editions only.

Overview

By default, no password policy is set for users of Bonita. It is therefore highly recommended to set a policy to protect your data.

There are three options:

Leave the default setting as is: "non-protected".
Apply our ready-to-use policy to a tenant. This requires a password to contain the following:
- at least 10 characters long
- at least 2 special characters
- at least 2 upper case characters
- at least 2 lower case characters
- at least 3 digits

To apply this policy edit initial configuration in <TOMCAT_HOME>/setup/platform_conf/initial/platform_portal/security-config.properties if you have never started the platform yet, and current configuration in <TOMCAT_HOME>/setup/platform_conf/current/platform_portal/security-config.properties if the platform has been already started using the platform setup tool and change DefaultPasswordValidator to RobustnessPasswordValidator.

Create a custom password policy by following the tutorial below.

How to create a custom password policy

This will enable the System administrator to create a custom class and define the characteristics for a particular password policy. It will be applied to all users.

Prerequisites

You should have Maven installed to create a project.

Import Toolkitview into your workspace.

How to create a Java class containing your own password validation characteristics

Here are the steps to add a custom password validator:

Open Maven, and create a new Maven Project. This will create a pom.xml

Add a new dependency in your pom.xml to get toolkit-view (x.y.z is the Bonita version number).

<dependencies>
      <dependency>
          <groupId>org.bonitasoft.console</groupId>
          <artifactId>console-common</artifactId>
          <version>x.y.z</version>
      </dependency>
  </dependencies>

As this artifact is not available in public repositories, you have to follow this given procedure (example given for the x.y.z version):

retrieve the console-common-x.y.z.jar from a Bonita distribution or live instance (in the bonita.war or in the exploded war)
retrieve poms from the github repository
- bonita-console: https://github.com/bonitasoft/bonita-web/blob/x.y.z/pom.xml
- console-common: https://github.com/bonitasoft/bonita-web/blob/x.y.z/common/pom.xml
manually put the jars and pom in your local repository or deploy them into your repository manager
- bonita-console pom.xml file in <M2_REPO>/org/bonitasoft/console/bonita-console/x.y.z
- console-common pom.xml and jar files in <M2_REPO>/org/bonitasoft/console/console-common/x.y.z

Create your class, eg. PasswordLengthValidator with a name for the package, eg. org.bonitasoft.ext.password.validator.

package org.bonitasoft.ext.password.validator;

import static org.bonitasoft.web.toolkit.client.common.i18n.AbstractI18n._;

import org.bonitasoft.web.toolkit.client.common.i18n.AbstractI18n;
import org.bonitasoft.web.toolkit.client.common.i18n.AbstractI18n.LOCALE;
import org.bonitasoft.web.toolkit.client.data.item.attribute.validator.AbstractStringValidator;
/**
 * @author John Doe
 */
public class PasswordLengthValidator extends AbstractStringValidator {

    @Override
    protected void _check(String password) {

        LOCALE Locale = AbstractI18n.stringToLocale(locale);

        // Check number of length
        int minimalLength = 10;
        if (password.length() < minimalLength) {
                addError(_("Password is not long enough", Locale));
        }
    }
}

Then, you can build your project. In command-line and type mvn package
Go in the target/ folder and you have your JAR archive, eg. password-validator-0.0.1-SNAPSHOT.jar
Take a bundle and start it once. This will extract the bonita.war.
Start it by typing: cd binthen ./catalina.sh run
Copy your JAR archive in the folder webapps/bonita/WEB-INF/lib

Modify all security-config.properties files to add your new password validator. e.g.

# content of the file
security.password.validator org.bonitasoft.ext.password.validator.PasswordLengthValidator

Start your bundle again cd bin and then ./catalina.sh run
Create a new user and check that your password policy has been set. To check that the validation is correct, you can type a password to force an error. An exception will be displayed listing all the non-filled criteria.

If the password complies with the criteria in the new password policy, no exception error message will be displayed.