Technical Blog Post
Abstract
Impose stricter password restrictions on user accounts through custom password policies
Body
As you aware SB2Bi allows admins/users to create system defined password policies through SB2Bi dashboard's Accounts menu -> Password Policy screen. A policy can be associated with SB2Bi User or SFG Trading Partner. Often times, System admins want to know if these password policy capabilities could be extendable such a way password rules are far stricter. This blog aims to help such requirement.
SB2Bi offers a way to define and integrate custom password policy by implementing a java class for exposed interface. Link to documentation can be accessed here. I am going walk you through sample implementation and steps involved to integrate with SB2Bi.
1) Create a java class implementing the SB2Bi Interface "com.sterlingcommerce.woodstock.security.IPasswordPolicyExtension" and define it's API "validateNewPassword(String password, String policyName)" to meet password requirements. This class doesn't necessarily be defined in SB2Bi installation directory. It could happen in any Java IDE and any folder structure.
Here is sample java class for my password requirements
- must be at least 9 character long. must contain at least once upper-case letter and at least one lower case letter and at least a number and one of special characters from !@#$%&*
I created my class on SB2Bi host machine itself but under a different standalone directory e.g., /opt/workdir/
package kk.pwdpolicy.extension;
import java.util.regex.Matcher;
public class IBMPasswordExtension implements com.sterlingcommerce.woodstock.security.IPasswordPolicyExtension {
private static Pattern lowerAlpha = Pattern.compile("[a-z]");
public String validateNewPassword(String password, String policyName) { Matcher hasAlpha = lowerAlpha.matcher(password); boolean alp = hasAlpha.find(); //DEBUG Lines into noapp.log.<datestamp> if(alp && alp2 && num && sp && cnt) { |
Note : validateNewPassword API returns a String. If it returns null meaning, password meets requirement. Otherwise it must return error String.
2) Compile and create jar file. Sample commands that I ran from /opt/workdir/
<sb2bi_install>/jdk/bin/javac -cp <sb2bi_install>/jar/platform_ifcbase/1_3/platform_ifcbase.jar -d . *.java
<sb2bi_install>/jdk/bin/jar cvf IBMPasswordExtn.jar kk*
3) Install jar produced in #2 using install3rdParty.sh script available under <sb2bi_install>/bin folder.
./install3rdParty.sh userExit 1_0 -j /opt/workdir/IBMPasswordExtn.jar
4) Enter following line in <sb2bi_install>/properties/customer_overrides.properties. Make sure you enter absolute class name including package name.
security.passwordPolicyExtensionImpl=kk.pwdpolicy.extension.IBMPasswordExtension
5) Restart SB2Bi/SFG application
This custom password policy would not be listed in dashboard. It is global policy and imposed on all those user accounts that had one of system password policies associated.
Note : A password policy created through SB2Bi dashboard must be assigned to user account in order this custom password policy take effect for that particular user. In other words, Custom password policy does not apply to User account unless user has "Policy" assigned (on SB2Bi dashboard).
----Testing ---
As you see TestUser had "Sample User Policy" assigned and when admin tries to change his password not meeting password requirements from custom policy, It reported error.
Similarly while SFG partner user trying to change password through myfilegateway UI login, it is forcing user to use string password.
On similar lines, when TestUser tred to change password through mailbox UI, it is forcing string password requirement as show below.
System.out lines in custom java class printed in noapp.log.<datetime> file. Sample log for these change password tests look as below.
[2017-06-06 09:27:54.222] ALL 000000000000 GLOBAL_SCOPE ***********
IBMPasswordExtension.validateNewPassword(S,S) triggered with password : Password1
[2017-06-06 09:27:54.222] ALL 000000000000 GLOBAL_SCOPE has lower-case letter
[2017-06-06 09:27:54.222] ALL 000000000000 GLOBAL_SCOPE has upper-case letter
[2017-06-06 09:27:54.222] ALL 000000000000 GLOBAL_SCOPE has number
[2017-06-06 09:27:54.222] ALL 000000000000 GLOBAL_SCOPE NO special character
[2017-06-06 09:27:54.222] ALL 000000000000 GLOBAL_SCOPE has min. of 9 chars
[2017-06-06 09:27:54.222] ALL 000000000000 GLOBAL_SCOPE Failing. Due to week password
************
[2017-06-06 09:28:23.873] ALL 000000000000 GLOBAL_SCOPE ***********
IBMPasswordExtension.validateNewPassword(S,S) triggered with password : Password1#
[2017-06-06 09:28:23.873] ALL 000000000000 GLOBAL_SCOPE has lower-case letter
[2017-06-06 09:28:23.873] ALL 000000000000 GLOBAL_SCOPE has upper-case letter
[2017-06-06 09:28:23.873] ALL 000000000000 GLOBAL_SCOPE has number
[2017-06-06 09:28:23.873] ALL 000000000000 GLOBAL_SCOPE has special character
[2017-06-06 09:28:23.873] ALL 000000000000 GLOBAL_SCOPE has min. of 9 chars
[2017-06-06 09:28:23.873] ALL 000000000000 GLOBAL_SCOPE password Matches requirement
***********
UID
ibm11121097