Enforce Password Policy
A Password Policy defines a set of rules to determine whether a new password is valid or not.
|
For Subscription editions only. |
Overview
By default, no password policy is set for users of Bonita. It is therefore highly recommended to set a policy to protect your data.
There are three options:
-
Leave the default setting as is: "non-protected".
-
Apply our ready-to-use policy to a tenant. This requires a password to contain the following:
-
at least 10 characters long
-
at least 2 special characters
-
at least 2 upper case characters
-
at least 2 lower case characters
-
at least 3 digits
-
To apply this policy edit initial configuration in <TOMCAT_HOME>/setup/platform_conf/initial/tenant_template_portal/security-config.properties if you have never started the platform yet, and current configuration in
<TOMCAT_HOME>/setup/platform_conf/current/tenants/1/tenant_portal/security-config.properties if the platform has been already started using the platform setup tool and change DefaultPasswordValidator to RobustnessPasswordValidator.
-
Create a custom password policy by following the tutorial below.
How to create a custom password policy
This will enable the System administrator to create a custom class and define the characteristics for a particular password policy. It will be applied to all users.
Prerequisites
You should have Maven installed and setup to access the Bonita Artifact Repository.
How to create a Java class containing your own password validation characteristics
Here are the steps to create and add a custom password validator:
-
Create a new Maven Project in your favorite IDE.
-
Add a new dependency in the
pom.xmltobonita-web-serverartifact.<dependencies> <dependency> <groupId>org.bonitasoft.console</groupId> <artifactId>bonita-web-server</artifactId> <!-- Version can be omitted when bonita-runtime-bom is imported --> <version>10.1.0</version> <scope>provided</scope> </dependency> </dependencies> <!-- Add required additional repositories --> <repositories> <repository> <id>restlet</id> <releases> <enabled>true</enabled> </releases> <snapshots> <enabled>false</enabled> </snapshots> <url>https://maven.restlet.talend.com/</url> </repository> <repository> <id>terracotta</id> <releases> <enabled>true</enabled> </releases> <snapshots> <enabled>false</enabled> </snapshots> <url>https://repo.terracotta.org/maven2/</url> </repository> </repositories> -
Create your class, eg.
PasswordLengthValidatorwith a name for the package, eg.org.bonitasoft.ext.password.validator.package org.bonitasoft.ext.password.validator; import static org.bonitasoft.web.toolkit.client.common.i18n.AbstractI18n.t_; import org.bonitasoft.web.toolkit.client.common.i18n.AbstractI18n; import org.bonitasoft.web.toolkit.client.common.i18n.AbstractI18n.LOCALE; import org.bonitasoft.web.toolkit.client.data.item.attribute.validator.AbstractStringValidator; public class PasswordLengthValidator extends AbstractStringValidator { @Override protected void _check(String password) { LOCALE Locale = AbstractI18n.stringToLocale(locale); // Check number of length int minimalLength = 10; if (password.length() < minimalLength) { addError(t_("Password is not long enough", Locale)); } } } -
Then, build and install the project. Using a terminal, type
mvn installat the root of the project. -
The built artifact can now be added in a Bonita project extension.[1]
-
Build the Bonita project as a bundle or a docker image using Maven.
-
Using the setup tool modify the
security-config.propertiesfile to add your new password validator:# content of the file security.password.validator org.bonitasoft.ext.password.validator.PasswordLengthValidator -
Start the application
-
Create a new user and check that your password policy has been set. To check that the validation is correct, you can type a password to force an error. An exception will be displayed listing all the non-filled criteria.
If the password complies with the criteria in the new password policy, no exception error message will be displayed.
|
The default error message shown on the default admin user list page is |