You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Dominique Jäggi (JIRA)" <ji...@apache.org> on 2015/01/26 12:22:34 UTC

[jira] [Created] (OAK-2445) Password History Support

Dominique Jäggi created OAK-2445:
------------------------------------

             Summary: Password History Support
                 Key: OAK-2445
                 URL: https://issues.apache.org/jira/browse/OAK-2445
             Project: Jackrabbit Oak
          Issue Type: New Feature
          Components: security
    Affects Versions: 1.1.5
            Reporter: Dominique Jäggi


This is a patch that enhances oak security to support user user password history.

details of the feature as per doc:

Password History
--------------------------------------------------------------------------------

### General

Oak provides functionality to remember a configurable number of
passwords after password changes and to prevent a password to
be set during changing a user's password if found in said history.

### Configuration

An administrator may enable password history via the
_org.apache.jackrabbit.oak.security.user.UserConfigurationImpl_
OSGi configuration. By default the history is disabled.

The following configuration option is supported:

- Maximum Password History Size (_passwordHistorySize_, number of passwords): When greater 0 enables password
  history and sets feature to remember the specified number of passwords for a user.

### How it works

#### Recording of Passwords

If the feature is enabled, during a user changing her password, the old password
hash is recorded in the password history.

The old password hash is only recorded if a password was set (non-empty).
Therefore setting a password for a user for the first time does not result
in a history record, as there is no old password.

The old password hash is copied to the password history *after* the provided new
password has been validated (e.g. via the _PasswwordChangeAction_) but *before*
the new password hash is written to the user's _rep:password_ property.

The history operates as a FIFO list. A new password history record exceeding the
configured max history size, results in the oldest recorded password from being
removed from the history.

Also, if the configuration parameter for the history
size is changed to a non-zero but smaller value than before, upon the next
password change the oldest records exceeding the new history size are removed.

History password hashes are recorded as child nodes of a user's _rep:pwd/rep:pwdHistory_
node. The _rep:pwdHistory_ node is governed by the _rep:PasswordHistory_ node type,
its children by the _rep:PasswordHistoryEntry_ node type, allowing setting of the
_rep:password_ property and its record date via _jcr:created_.

##### Node Type rep:PasswordHistory and rep:PasswordHistoryEntry

    [rep:PasswordHistory]
        + * (rep:PasswordHistoryEntry) = rep:PasswordHistoryEntry protected

    [rep:PasswordHistoryEntry] > nt:hierarchyNode
        - rep:password (STRING) protected

##### Nodes rep:pwd and rep:pwdHistory

    [rep:Password]
        + rep:pwdHistory (rep:PasswordHistory) = rep:PasswordHistory protected
        ...

    [rep:User] > rep:Authorizable, rep:Impersonatable
        + rep:pwd (rep:Password) = rep:Password protected
        ...
        
The _rep:pwdHistory_ and history entry nodes and the _rep:password_ property
are defined protected in order to guard against the user modifying (overcoming) her
password history limitations. The new sub-nodes also has the advantage of allowing
repository consumers to e.g. register specific commit hooks / actions on such a node.

#### Evaluation of Password History

Upon a user changing her password and if the password history feature is enabled
(configured password history size > 0), the _PasswordChangeAction_ checks whether
any of the password hashes recorded in the history matches the new password.

If any record is a match, a _ConstraintViolationException_ is thrown and the
user's password is *NOT* changed.

#### Oak JCR XML Import

When users are imported via the Oak JCR XML importer, password history is
currently not supported (ignored).

[~anchela], if you could kindly review the patch.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)