Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-16673

Setting minimum password length for Share has no effect

    Details

    • Bug Priority:
      Category 3
    • ACT Numbers:

      00695003, 00964038

    • Sprint:
      Nielsen
    • Work Funnel End:
      2019-01
    • Story Points:
      3

      Description

      Updating the share-config-custom.xml with the username and password configuration defined in the documentation (http://docs.alfresco.com/5.1/tasks/share-change-password.html) does not appear to have any effect. After increasing the minimum password length, for example, a user can still be created with a shorter password, and existing users can set a shorter password.

      [Steps to reproduce]

      1. Copy the following from <ALFRESCO_HOME>/tomcat/webapps/share/WEB-INF/classes/alfresco/share-config.xml to <ALFRESCO_HOME>/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml:

      <config evaluator="string-compare" condition="Users">
      <users>
      <!-- minimum length for username and password -->
      <username-min-length>2</username-min-length>
      <password-min-length>3</password-min-length>
      <show-authorization-status>false</show-authorization-status>
      </users>
      <!-- This enables/disables the Add External Users Panel on the Add Users page. -->
      <enable-external-users-panel>false</enable-external-users-panel>
      </config>

      2. Set replace="true":

      <config evaluator="string-compare" condition="Users" replace="true">

      3. Update the password-min-length value to a higher value:

      <password-min-length>15</password-min-length>

      4. Save the file, restart Alfresco if it was running.
      5. In Share, create a new user (UserA) with the password "password", which will be accepted despite being 8 characters (minimum should be 15).
      6. Login as UserA, and change password to "alfresco", which should be disallowed because it is also 8 characters. Note that the tool tip mentions the 3 character limit still (see min-password-tool-tip.png).

      [Expected Behaviour]
      Users should not be able to be created with a password shorter than <password-min-length>, and existing users should not be able to set a password shorter than <password-min-length>.

      [Observed Behaviour]
      The default <password-min-length> value of 3 characters is still being used despite changing the value according to the documentation.

      [Analysis to date]
      1. Customer business impact / priority / urgency: Low
      2. Ideal Fix Version: Future service pack

        Attachments

          Structure

            Activity

              People

              • Assignee:
                closedbugs Closed Bugs (Inactive)
                Reporter:
                dray Dwayne Ray
              • Votes:
                1 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Structure Helper Panel