Password expiration and history

I couldn’t find in CUBA two passwords requirements that are very common in corporate environments:

  1. Password expiration
  2. Password history (prevent a user to set an used password).

Does CUBA support those requirements ? Any plans for the future ?

Thanks !

Alejandro

1 Like

Hi
I can tell for sure that they are NOT available, but the history check could be implemented by changing this parts in CUBA:

  • method checkPassword in UserManagementService : now it checks only if new password is the same as the old password, and it should be changed to check if new password is among the N passwords used in the past by that user (remember that they need to be stored somewhere, probably in a separate PasswordLog table)
  • method changeUserPassword in the same service: store the old password in the log for future check
  • ChangePasswordDialog: change the error message from “password must not be equal to old” with something like “password must not be equal to last N used”

Similarly the password expiration can be implemented in the same UserManagementService, and by changing the LoginWorkerBean and corresponding screens for error messages.

It’s not such a big deal as it seems, if I’ll have some spare time in the future, I’ll add in my up-coming security component (that I hope to publish on GH someday).
If you want to try implementing it yourself, share your results here :wink:

Bye
Paolo

1 Like

Thanks !

Paolo,

Well, almost a year an a half later, I had to wrote this feature.

It’s on the marketplace: Password-plus – CUBA Platform

(And now I can check this issue as solved :wink:)