You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2015/02/16 15:45:12 UTC

[jira] [Updated] (OAK-2445) Password History Support

     [ https://issues.apache.org/jira/browse/OAK-2445?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

angela updated OAK-2445:
------------------------
    Component/s:     (was: security)
                 core

> Password History Support
> ------------------------
>
>                 Key: OAK-2445
>                 URL: https://issues.apache.org/jira/browse/OAK-2445
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: core
>    Affects Versions: 1.1.5
>            Reporter: Dominique Jäggi
>            Assignee: Dominique Jäggi
>         Attachments: OAK-2445_-_Password_History_Support.patch
>
>
> This is a patch that enhances oak security to support user user password history.
> details of the feature as per doc:
> {noformat}
> Password History
> --------------------------------------------------------------------------------
> ### General
> Oak provides functionality to remember a configurable number of
> passwords after password changes and to prevent a password to
> be set during changing a user's password if found in said history.
> ### Configuration
> An administrator may enable password history via the
> _org.apache.jackrabbit.oak.security.user.UserConfigurationImpl_
> OSGi configuration. By default the history is disabled.
> The following configuration option is supported:
> - Maximum Password History Size (_passwordHistorySize_, number of passwords): When greater 0 enables password
>   history and sets feature to remember the specified number of passwords for a user.
> ### How it works
> #### Recording of Passwords
> If the feature is enabled, during a user changing her password, the old password
> hash is recorded in the password history.
> The old password hash is only recorded if a password was set (non-empty).
> Therefore setting a password for a user for the first time does not result
> in a history record, as there is no old password.
> The old password hash is copied to the password history *after* the provided new
> password has been validated (e.g. via the _PasswwordChangeAction_) but *before*
> the new password hash is written to the user's _rep:password_ property.
> The history operates as a FIFO list. A new password history record exceeding the
> configured max history size, results in the oldest recorded password from being
> removed from the history.
> Also, if the configuration parameter for the history
> size is changed to a non-zero but smaller value than before, upon the next
> password change the oldest records exceeding the new history size are removed.
> History password hashes are recorded as child nodes of a user's _rep:pwd/rep:pwdHistory_
> node. The _rep:pwdHistory_ node is governed by the _rep:PasswordHistory_ node type,
> its children by the _rep:PasswordHistoryEntry_ node type, allowing setting of the
> _rep:password_ property and its record date via _jcr:created_.
> ##### Node Type rep:PasswordHistory and rep:PasswordHistoryEntry
>     [rep:PasswordHistory]
>         + * (rep:PasswordHistoryEntry) = rep:PasswordHistoryEntry protected
>     [rep:PasswordHistoryEntry] > nt:hierarchyNode
>         - rep:password (STRING) protected
> ##### Nodes rep:pwd and rep:pwdHistory
>     [rep:Password]
>         + rep:pwdHistory (rep:PasswordHistory) = rep:PasswordHistory protected
>         ...
>     [rep:User] > rep:Authorizable, rep:Impersonatable
>         + rep:pwd (rep:Password) = rep:Password protected
>         ...
>         
> The _rep:pwdHistory_ and history entry nodes and the _rep:password_ property
> are defined protected in order to guard against the user modifying (overcoming) her
> password history limitations. The new sub-nodes also has the advantage of allowing
> repository consumers to e.g. register specific commit hooks / actions on such a node.
> #### Evaluation of Password History
> Upon a user changing her password and if the password history feature is enabled
> (configured password history size > 0), the _PasswordChangeAction_ checks whether
> any of the password hashes recorded in the history matches the new password.
> If any record is a match, a _ConstraintViolationException_ is thrown and the
> user's password is *NOT* changed.
> #### Oak JCR XML Import
> When users are imported via the Oak JCR XML importer, password history is
> currently not supported (ignored).
> {noformat}
> [~anchela], if you could kindly review the patch.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)