With the Jetspeed
DefaultCredentialHandler special management of password credentials can
easily be configured. Through the provided
InternalPasswordCredentialInterceptor components custom logic can be plugged in for:
CredentialPasswordEncoderis available from the
PasswordCredentialProviderpasswords will be encoded with it before they are persisted. The provided
MessageDigesthash algorithms for the password encryption, and can for example be configured to use
CredentialPasswordValidatoris available from the
PasswordCredentialProvider, passwords will be validated with it before they are persisted. The
DefaultCredentialPasswordValidatorfor example enforces non-emtpy password. And with the
SimpleCredentialPasswordValidatora minimum length and a minum number of numeric characters can be enforced.
DefaultCredentialHandleris provided with an
InternalPasswordCredentialInterceptor, it will invoke this interceptor (or an arbirary set if
InternalPasswordCredentialInterceptorsProxyis used) on:
PasswordCredentialProvider, the same as used when a password is changed.
is_expiredmembers of the
InternalCredentialand sets the expired flag when on authentication of a user its (valid) password is expired. The authentication will then fail.
PasswordCredentialValveImplcan be used to request or even enforce users to change their password in time to prevent a password expiration (described further below).
PasswordAlreadyUsedExceptionwill be thrown. But setting a new password through the administrative interface still allows any password (when otherwise valid) to be set.
DefaultCredentialHandler only supports one interceptor to be configured.
But, with the
InternalPasswordCredentialInterceptorsProxy, a list of interceptors can
be configured which then will be invoked sequentially.
Jetspeed comes out of the box with several of these interceptors configured, and its very easy to change and extend.See the security-spi-atn.xml section in the Security Services Configuration document for a description of the default configuration. Also provided there is an example how to setup the interceptors to restore the "old" (and much more restrict) configuration provided with the 2.0-M3 release and earlier.
The class diagram below describes the components used for the
The OJB mappings for the default credentials implementation are described in
InternalCredential: Maps to the SECURITY_CREDENTIAL table.