Enforce Password Policy

A Password Policy defines a set of rules to determine whether a new password is valid or not.

For Subscription editions only.

Overview

By default, no password policy is set for users of Bonita. It is therefore highly recommended to set a policy to protect your data.

There are three options:

Leave the default setting as is: "non-protected".
Apply our ready-to-use policy to a tenant. This requires a password to contain the following:
- at least 10 characters long
- at least 2 special characters
- at least 2 upper case characters
- at least 2 lower case characters
- at least 3 digits

To apply this policy edit initial configuration in <TOMCAT_HOME>/setup/platform_conf/initial/tenant_template_portal/security-config.properties if you have never started the platform yet, and current configuration in <TOMCAT_HOME>/setup/platform_conf/current/tenants/1/tenant_portal/security-config.properties if the platform has been already started using the platform setup tool and change DefaultPasswordValidator to RobustnessPasswordValidator.

Create a custom password policy by following the tutorial below.

How to create a custom password policy

This will enable the System administrator to create a custom class and define the characteristics for a particular password policy. It will be applied to all users.

Prerequisites

You should have Maven installed to create a project.

Import Toolkitview into your workspace.

How to create a Java class containing your own password validation characteristics

Here are the steps to add a custom password validator:

Open Maven, and create a new Maven Project. This will create a pom.xml

Add a new dependency in your pom.xml to get toolkit-view (x.y.z is the Bonita version number).

<dependencies>
      <dependency>
          <groupId>org.bonitasoft.console</groupId>
          <artifactId>console-common</artifactId>
          <version>x.y.z</version>
      </dependency>
  </dependencies>

As this artifact is not available in public repositories, you have to follow this given procedure (example given for the x.y.z version):

retrieve the console-common-x.y.z.jar from a Bonita distribution or live instance (in the bonita.war or in the exploded war)
retrieve poms from the github repository
- bonita-console: https://github.com/bonitasoft/bonita-web/blob/x.y.z/pom.xml
- console-common: https://github.com/bonitasoft/bonita-web/blob/x.y.z/common/pom.xml
manually put the jars and pom in your local repository or deploy them into your repository manager
- bonita-console pom.xml file in <M2_REPO>/org/bonitasoft/console/bonita-console/x.y.z
- console-common pom.xml and jar files in <M2_REPO>/org/bonitasoft/console/console-common/x.y.z

Create your class, eg. PasswordLengthValidator with a name for the package, eg. org.bonitasoft.ext.password.validator.

package org.bonitasoft.ext.password.validator;

import static org.bonitasoft.web.toolkit.client.common.i18n.AbstractI18n.t_;

import org.bonitasoft.web.toolkit.client.common.i18n.AbstractI18n;
import org.bonitasoft.web.toolkit.client.common.i18n.AbstractI18n.LOCALE;
import org.bonitasoft.web.toolkit.client.data.item.attribute.validator.AbstractStringValidator;

/**
 * @author John Doe
 */
public class PasswordLengthValidator extends AbstractStringValidator {

    @Override
    protected void _check(String password) {

        LOCALE Locale = AbstractI18n.stringToLocale(locale);

        // Check number of length
        int minimalLength = 10;
        if (password.length() < minimalLength) {
                addError(t_("Password is not long enough", Locale));
        }
    }
}

Then, you can build your project. In command-line and type mvn package
Go in the target/ folder and you have your JAR archive, eg. password-validator-0.0.1-SNAPSHOT.jar
Take a bundle and start it once. This will extract the bonita.war.
Start it by typing: cd binthen ./catalina.sh run
Copy your JAR archive in the folder webapps/bonita/WEB-INF/lib

Modify all security-config.properties files to add your new password validator. e.g.

# content of the file
security.password.validator org.bonitasoft.ext.password.validator.PasswordLengthValidator

Start your bundle again cd bin and then ./catalina.sh run
Create a new user and check that your password policy has been set. To check that the validation is correct, you can type a password to force an error. An exception will be displayed listing all the non-filled criteria.

If the password complies with the criteria in the new password policy, no exception error message will be displayed.

The default error message shown on the default admin user list page is Password must be at least 10 characters long containing at least 3 digits, 2 upper case characters, and 2 special characters.. If you configured a custom password policy, you might need to create a custom page to change the error message.