search

mendix / CommunityCommons

This module adds a number reusable Java methods to your project, which can be called from Microflows or custom Java actions.
Apache License 2.0
13 stars 57 forks source link

Random strong password #106

Closed laurenra7 closed 3 years ago

laurenra7 commented 3 years ago

I created this pull request to make it easier to compare code and see what I changed to fix this in my own project. Because the change adds a new parameter to the Java Action "Random strong password" which will cause errors if anyone updates the CommunityCommons module, I don't expect the pull request to be merged. It's simply for comparison for anyone who decides this is worth fixing. See my comments in Issue #105.

reinouts commented 3 years ago

@laurenra7 Thanks. The errors you're seeing are probably due to an old version of the Commons Lang3 module in your userlib folder. If you delete older versions but keep just the latest one, you shouldn't get any errors.

laurenra7 commented 3 years ago

The error has nothing to do with the Apache Commons Lang3 library. It's caused by the code in the generateCommonLangPassword method of the StringUtils class. If you look at the code you can see that there is no guarantee that lowercase letters will be included in the random password. In practice, if you use the RandomStrongPassword Java Action to create a password and assign it to a System.User, every now and then it will fail to meet the password criteria and generate an error "Password does not meet password criteria: - Password should contain a lowercase letter."

I created this pull request simply to highlight the problem code and to propose a possible solution. I have a better solution that will require no change in the parameters for the RandomStrongPassword Java Action. I will close this pull request and create a new one with the better solution.

This is not fixed by using a newer (or older) version of the Apache Commons Lang3 module. I have created a simple Mendix application on a free node with Studio Pro 9.1.1 that uses the latest CommunityCommons module. It generates 100 passwords with the RandomStrongPassword Java Action and you can see how many fail to meet standard password criteria. It also creates 100 passwords using a very slightly modified version of the StringUtils class that always guarantees at least 1 lowercase letter and always meets standard password criteria. You can see it here:

https://randomstrongpasswordtest-sandbox.mxapps.io/

I would be happy to invite you to the Mendix project RandomStrongPasswordTest so you can see the code if you'd like.