Enforce Password Policy
A Password Policy defines a set of rules to determine whether a new password is valid or not.
For Subscription editions only. |
Overview
By default, no password policy is set for users of Bonita. It is therefore highly recommended to set a policy to protect your data.
There are three options:
-
Leave the default setting as is: "non-protected".
-
Apply our ready-to-use policy to a tenant. This requires a password to contain the following:
-
at least 10 characters long
-
at least 2 special characters
-
at least 2 upper case characters
-
at least 2 lower case characters
-
at least 3 digits
-
To apply this policy edit initial configuration in <TOMCAT_HOME>/setup/platform_conf/initial/tenant_template_portal/security-config.properties
if you have never started the platform yet, and current configuration in
<TOMCAT_HOME>/setup/platform_conf/current/tenants/1/tenant_portal/security-config.properties
if the platform has been already started using the platform setup tool and change DefaultPasswordValidator
to RobustnessPasswordValidator
.
-
Create a custom password policy by following the tutorial below.
How to create a custom password policy
This will enable the System administrator to create a custom class and define the characteristics for a particular password policy. It will be applied to all users.
Prerequisites
You should have Maven installed and setup to access the Bonita Artifact Repository.
How to create a Java class containing your own password validation characteristics
Here are the steps to create and add a custom password validator:
-
Create a new Maven Project in your favorite IDE.
-
Add a new dependency in the
pom.xml
tobonita-web-server
artifact.<dependencies> <dependency> <groupId>org.bonitasoft.console</groupId> <artifactId>bonita-web-server</artifactId> <!-- Version can be omitted when bonita-runtime-bom is imported --> <version>10.0.0</version> <scope>provided</scope> </dependency> </dependencies> <!-- Add required additional repositories --> <repositories> <repository> <id>restlet</id> <releases> <enabled>true</enabled> </releases> <snapshots> <enabled>false</enabled> </snapshots> <url>https://maven.restlet.talend.com/</url> </repository> <repository> <id>terracotta</id> <releases> <enabled>true</enabled> </releases> <snapshots> <enabled>false</enabled> </snapshots> <url>https://repo.terracotta.org/maven2/</url> </repository> </repositories>
-
Create your class, eg.
PasswordLengthValidator
with a name for the package, eg.org.bonitasoft.ext.password.validator
.package org.bonitasoft.ext.password.validator; import static org.bonitasoft.web.toolkit.client.common.i18n.AbstractI18n.t_; import org.bonitasoft.web.toolkit.client.common.i18n.AbstractI18n; import org.bonitasoft.web.toolkit.client.common.i18n.AbstractI18n.LOCALE; import org.bonitasoft.web.toolkit.client.data.item.attribute.validator.AbstractStringValidator; public class PasswordLengthValidator extends AbstractStringValidator { @Override protected void _check(String password) { LOCALE Locale = AbstractI18n.stringToLocale(locale); // Check number of length int minimalLength = 10; if (password.length() < minimalLength) { addError(t_("Password is not long enough", Locale)); } } }
-
Then, build and install the project. Using a terminal, type
mvn install
at the root of the project. -
The built artifact can now be added in a Bonita project extension.[1]
-
Build the Bonita project as a bundle or a docker image using Maven.
-
Using the setup tool modify the
security-config.properties
file to add your new password validator:# content of the file security.password.validator org.bonitasoft.ext.password.validator.PasswordLengthValidator
-
Start the application
-
Create a new user and check that your password policy has been set. To check that the validation is correct, you can type a password to force an error. An exception will be displayed listing all the non-filled criteria.
If the password complies with the criteria in the new password policy, no exception error message will be displayed.
The default error message shown on the default admin user list page is |