15 Configuring the Password Validation Provider
This chapter includes the following sections:
About the Password Validation Provider
-
WebLogic Authentication provider
-
SQL Authenticator provider
-
LDAP Authentication provider
-
Oracle Internet Directory Authentication Provider
-
Active Directory Authentication provider
-
Open LDAP Authentication provider
For information about configuring the Password Validation provider in the WebLogic Remote Console, see Configure the Password Validation Provider in Oracle WebLogic Remote Console Online Help.
Password Composition Rules for the Password Validation Provider
Note:
Passwords cannot contain a curly brace ("{") as the first character.Table 15-1 Additional Password Composition Rules Required by Password Validation Provider When Used with an LDAP Authentication Provider
| LDAP Authentication Provider | Additional Password Composition Requirement |
|---|---|
|
At least one of the characters in the password must be numeric. |
|
At least one of the characters in the password must be non-alphabetic. For example, a numeric character, an asterisk (*), or an octothorpe (#). |
The password composition rules you optionally can configure for the Password Validation provider include the following:
-
User name policies — Rules that determine whether the password may consist of or contain the user's name, or the reverse of that name
-
Password length policies — Rules for the minimum or maximum number of characters in a password (composition rules may specify both a minimum and maximum length)
-
Character policies — Rules regarding the inclusion of the following characters in the password:
-
Numeric characters
-
Lowercase alphabetic characters
-
Uppercase alphabetic characters
-
Non-alphanumeric characters
-
Note:
Setting password composition rules is only one component of hardening the WebLogic Server environment against brute-force password attacks. To protect user accounts, you should also configure user lockout. User lockout specifies the number of incorrect passwords that may be entered within a given interval of time before the user is locked out of his or her account. See Protecting User Accounts.
Using the Password Validation Provider with the WebLogic Authentication Provider
By default, the WebLogic Authentication provider requires a minimum password length of 8 characters, of which one is non-alphabetic. However, the minimum password length enforced by this provider can be customized. If the WebLogic Authentication provider and Password Validation provider are both configured in the security realm, and you attempt to create a password that does not meet the minimum length enforced by the WebLogic Authentication provider, an error is generated.
If the WebLogic Authentication provider rejects a password because it does not meet the minimum length requirement, the Password Validation provider is not called. To ensure that the Password Validator is always used in conjunction with the WebLogic Authentication provider, make sure that the minimum password length is the same for both providers.
You can set the minimum password length for WebLogic Authentication provider:
- If using WebLogic Remote Console, see Configure the Password Validation Provider in Oracle WebLogic Remote Console Online Help.
- If using WLST, see Using WLST to Create and Configure the Password Validation Provider.
Using the Password Validation Provider with an LDAP Authentication Provider
Using WLST to Create and Configure the Password Validation Provider
SystemPasswordValidatorMBean, described in MBean Reference for Oracle WebLogic Server. You may create and configure the Password Validation provider from a single WLST script, or you may have separate scripts that perform these functions separately. The following topics explain how, providing sample WLST code snippets:Creating an Instance of the Password Validation Provider
The Password Validation provider is created automatically in the security realm when you create a new domain. However, you can use WLST to create one as well, as shown in Example 15-1. This code does the following:
Example 15-1 Creating the System Password Validator
edit()
startEdit()
realm = cmo.getSecurityConfiguration().getDefaultRealm()
pwdvalidator = realm.lookupPasswordValidator('SystemPasswordValidator')
if pwdvalidator:
print 'Password Validator provider is already created'
else:
# Create SystemPasswordValidator
syspwdValidator = realm.createPasswordValidator('SystemPasswordValidator',
'com.bea.security.providers.authentication.passwordvalidator.SystemPasswordValidator')
print "--- Creation of System Password Validator succeeded!"
save()
activate()Specifying the Password Composition Rules
The following example shows the WLST code that sets the composition rules for the Password Validation provider. For information about the rule attributes that can be set in this script, see the description of the SystemPasswordValidatorMBean in the MBean Reference for Oracle WebLogic Server.
edit()
startEdit()
# Configure SystemPasswordValidator
try:
pwdvalidator.setMinPasswordLength(8)
pwdvalidator.setMaxPasswordLength(12)
pwdvalidator.setMaxConsecutiveCharacters(3)
pwdvalidator.setMaxInstancesOfAnyCharacter(4)
pwdvalidator.setMinAlphabeticCharacters(1)
pwdvalidator.setMinNumericCharacters(1)
pwdvalidator.setMinLowercaseCharacters(1)
pwdvalidator.setMinUppercaseCharacters(1)
pwdvalidator.setMinNonAlphanumericCharacters(1)
pwdvalidator.setMinNumericOrSpecialCharacters(1)
pwdvalidator.setRejectEqualOrContainUsername(true)
pwdvalidator.setRejectEqualOrContainReverseUsername(true)
print " --- Configuration of SystemPasswordValidator complete ---"
except Exception,e:
print e
save()
activate()