[MNT-16673] Setting minimum password length for Share has no effect Created: 12-Aug-16  Updated: 03-Oct-19  Resolved: 22-Jan-19

Status: Closed
Project: Service Packs and Hot Fixes
Component/s: Share Application
Affects Version/s: 5.0.3, 5.1.1, 5.2.3
Fix Version/s: 5.2.6, 6.0.1, 6.1.1, 6.2, ACS 201910-EA

Type: Service Pack Request
Reporter: Dwayne Ray Assignee: Closed Bugs (Inactive)
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File min-password-tool-tip.png    
Bug Priority:
Category 3
ACT Numbers:

00695003, 00964038

Sprint: Nielsen
Work Funnel End: 2019-01
Story Points: 3

 Description   

Updating the share-config-custom.xml with the username and password configuration defined in the documentation (http://docs.alfresco.com/5.1/tasks/share-change-password.html) does not appear to have any effect. After increasing the minimum password length, for example, a user can still be created with a shorter password, and existing users can set a shorter password.

[Steps to reproduce]

1. Copy the following from <ALFRESCO_HOME>/tomcat/webapps/share/WEB-INF/classes/alfresco/share-config.xml to <ALFRESCO_HOME>/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml:

<config evaluator="string-compare" condition="Users">
<users>
<!-- minimum length for username and password -->
<username-min-length>2</username-min-length>
<password-min-length>3</password-min-length>
<show-authorization-status>false</show-authorization-status>
</users>
<!-- This enables/disables the Add External Users Panel on the Add Users page. -->
<enable-external-users-panel>false</enable-external-users-panel>
</config>

2. Set replace="true":

<config evaluator="string-compare" condition="Users" replace="true">

3. Update the password-min-length value to a higher value:

<password-min-length>15</password-min-length>

4. Save the file, restart Alfresco if it was running.
5. In Share, create a new user (UserA) with the password "password", which will be accepted despite being 8 characters (minimum should be 15).
6. Login as UserA, and change password to "alfresco", which should be disallowed because it is also 8 characters. Note that the tool tip mentions the 3 character limit still (see min-password-tool-tip.png).

[Expected Behaviour]
Users should not be able to be created with a password shorter than <password-min-length>, and existing users should not be able to set a password shorter than <password-min-length>.

[Observed Behaviour]
The default <password-min-length> value of 3 characters is still being used despite changing the value according to the documentation.

[Analysis to date]
1. Customer business impact / priority / urgency: Low
2. Ideal Fix Version: Future service pack


Generated at Sun Jun 20 14:11:59 BST 2021 using Jira 7.13.15#713015-sha1:7c5ddd2c3e1709974ae9c48c17df8edd3919fe2c.