davideuler / pwm

Automatically exported from code.google.com/p/pwm
0 stars 0 forks source link

Enforced password policies not consistent with configuration of allow numeric and allow non-alpha #556

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. On the password policy screen in the configuration manager, or editing the 
.xml configuration directory, toggle  allowing numeric or non-alphabetic 
characters in passwords to 'true'.  
2. Save the configuration; restart Tomcat
3. Log in as a user in order to change a password that does contain numeric and 
non-alpha characters; those characters are not allowed.

What is the expected output? What do you see instead?
Expected output is that it would allow me to enter numeric and non-alpha 
passwords, but the change password screen does not allow it.  

The ruleset displayed on the change password screen states that those 
characters are not allowed.  Rechecking the configuration shows the config was 
saved as expected.  Effectively, those settings are always 'off'.  Checking the 
config .xml file shows those values are set to <default/>

What version of PWM are you using?
1.7.1

What ldap directory and version are you using?
ApacheDS 2.0.0-M16

Please paste any error log messages below:
No abnormal log messages are generated.  On webapp start up, it does output the 
password policy loaded, and those settings are seemingly read correctly, i.e., 
the log doesn't indicate those options are deactivated.

Original issue reported on code.google.com by brucey...@gmail.com on 16 Apr 2014 at 12:04

GoogleCodeExporter commented 9 years ago
After tracing through the code for how password policies get applied, I 
understand how results in the result I'm seeing.  Configurations saved in the 
PwmConfiguration.xml do get loaded correctly as the servlet boots.  However, 
every configuration setting about password policies gets merged with a 
secondary set of "defaults" in the class PwmPasswordPolicy.  I don't know what 
"Chai" password policies entail, but they're not what I want!

For each configuration setting, if the type is a boolean, as in "allow 
numeric", then there is a rule on merging it with the default Chai policy.  The 
merge is either an AND or OR as in PwmPasswordPolicy.java line 178.  It would 
seem these are all effectively hardcoded to AND as defined in the enum 
PwmPasswordRule.  The result is always False, because the Chai policy is False.

I would suggest pushing the 'positiveMerge' to the PwmConfiguration.xml, or 
have a single setting not to merge user configs against some under-the-hood 
default.

In any case, thanks for the hard work!  Looks like a great product.

Original comment by brucey...@gmail.com on 17 Apr 2014 at 1:00

GoogleCodeExporter commented 9 years ago
There already is a setting to use the local, pwm defined policies and not merge 
them with the chai (ldap defined policies, which chai doesn't read apacheDS 
policies if they exist)

Original comment by jrivard on 24 Apr 2014 at 2:10