Type: Service Pack Request
Affects Version/s: 5.0.3, 5.1.1, 5.2.3
Component/s: Share Application
Work Funnel End:2019-01
Updating the share-config-custom.xml with the username and password configuration defined in the documentation (http://docs.alfresco.com/5.1/tasks/share-change-password.html) does not appear to have any effect. After increasing the minimum password length, for example, a user can still be created with a shorter password, and existing users can set a shorter password.
[Steps to reproduce]
1. Copy the following from <ALFRESCO_HOME>/tomcat/webapps/share/WEB-INF/classes/alfresco/share-config.xml to <ALFRESCO_HOME>/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml:
<config evaluator="string-compare" condition="Users">
<!-- minimum length for username and password -->
<!-- This enables/disables the Add External Users Panel on the Add Users page. -->
2. Set replace="true":
<config evaluator="string-compare" condition="Users" replace="true">
3. Update the password-min-length value to a higher value:
4. Save the file, restart Alfresco if it was running.
5. In Share, create a new user (UserA) with the password "password", which will be accepted despite being 8 characters (minimum should be 15).
6. Login as UserA, and change password to "alfresco", which should be disallowed because it is also 8 characters. Note that the tool tip mentions the 3 character limit still (see min-password-tool-tip.png).
Users should not be able to be created with a password shorter than <password-min-length>, and existing users should not be able to set a password shorter than <password-min-length>.
The default <password-min-length> value of 3 characters is still being used despite changing the value according to the documentation.
[Analysis to date]
1. Customer business impact / priority / urgency: Low
2. Ideal Fix Version: Future service pack