Friday, August 5, 2016

User Password Pattern Policy Extensions in Identity Management Feature of WSO2 Identity Server

WSO2 Identity Server is an enterprise class software solution for User Management and Identity and Access Management. When ensuring user privacy, password management is really important. In order to make the passwords difficult to break, password pattern policies can be enforced where the users have to set passwords in their accounts that must match with the pattern defined in the policy. An example would be the passwords should contain at-least 1 digit, one uppercase letter, one lowercase letter and a special character (eg: &, @, # …). Apart from that, there should be a minimum length for the password.

In a previous post [1], I discussed how the password pattern is enforced at front end and back end layers. In this post I am discussing about password pattern policy extensions that can be used to further improve the security of the passwords. After the back end validation happens, it checks if the Identity Management Feature password pattern policy extensions are enabled. If they are enabled, it will go through each password pattern policy extension and validate the password against the rules defined.  The entire flow of password validation is shown below where I am going to talk about the password pattern policy extensions.

Here I use WSO2 Identity Server 5.1.0 version which is the latest released version at the time of this writing.

First we need to enable the IdentityMgtEventListener for enabling the Identity Management Features. For that, I modify the IS_5.1.0_HOME/repository/conf/identity/identity.xml file as shown below. Here I set enable=”true” for  IdentityMgtEventListener under the EventListeners.  

       <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener"
                      orderId="50" enable="true"/>

Next step is to enable the password pattern policy extensions. For that I need to modify IS_5.1.0_HOME/repository/conf/identity/identity-mgt.properties file. By default these password policy pattern extens are disabled adding a # in-front of them (commented out) in the property file. We can remove the # sign in-front of each password policy extension and the properties of those which would look like below.

# Define password policy enforce extensions

Password.policy.extensions.1=org.wso2.carbon.identity.mgt.policy.password.DefaultPasswordLengthPolicy
Password.policy.extensions.1.min.length=6
Password.policy.extensions.1.max.length=12
Password.policy.extensions.2=org.wso2.carbon.identity.mgt.policy.password.DefaultPasswordNamePolicy
Password.policy.extensions.3=org.wso2.carbon.identity.mgt.policy.password.DefaultPasswordPatternPolicy
Password.policy.extensions.3.pattern=^((?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%&*])).{0,100}$
Password.policy.extensions.3.errorMsg='Password pattern policy violated. Password should contain a digit[0-9], a lower case letter[a-z], an upper case letter[A-Z], one of !@#$%&* characters'

By default there there are 3 password pattern policy extensions. By uncommenting them I have enabled them. Now I need to restart the server so the changes would get affected.

These password policy pattern extens are validated one after the other sequentially. If the extension 1 fails, the flow will stop there. If extension 1 is validated correctly but extension 2 fails, then it will stop there without moving to the validation of extension 3.

In order to evaluate the extensions, we need to make sure that the password validation flow continues passing the front end validation and back end validation as I had discussed in [1] and shown in the activity diagram at the beginning of this post. For that I keep the default regular expressions for front end and back end validation of password patterns which are as below properties in user-mgt.xml. So any password that has a minimum length of 5 characters would come into the extensions validation.

           <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
           <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>

Let’s try out each extension. Here I go to the Management Console of the Identity Server and try to create a user giving different passwords to make sure that the extensions do their job.


In extension 1 it validates the length of the password where the minimum length should be 6 characters and the maximum length should be 12 characters. The Java class related to extension 1 is [2].

Password.policy.extensions.1=org.wso2.carbon.identity.mgt.policy.password.DefaultPasswordLengthPolicy
Password.policy.extensions.1.min.length=6
Password.policy.extensions.1.max.length=12

If I create a user with 5 character long password, it gives following error which has validated the minimum length.

If I try to create the user with a password that has a length greater than 12 characters, the maximum length is checked in the extension 1 and it fails giving me following error.


So extension 1 validates the length of the password correctly.

Extension 2 does not take any parameters and the Java class related to that is in [3].

Password.policy.extensions.2=org.wso2.carbon.identity.mgt.policy.password.DefaultPasswordNamePolicy

What the extension 2 does is it makes sure that the password is not same as the username. For testing that, I need to pass the validation of extension 1. So here I will give a the username ‘tharindu’ and the same password ‘tharindu’ which satisfies the extension 1 and comes into extension 2.


Since the password is similar to username, I get the above error because of the extension 2.

Now let’s check the extension 3. The Java class related to this extension is [4]. Here it accepts a parameter with name ‘pattern’ where we can define a regular expression for the password. Also if the pattern matching fails, we can display an error message with is defined in the property ‘errorMsg’ of extension 3. I will keep the default values as they are.

Password.policy.extensions.3=org.wso2.carbon.identity.mgt.policy.password.DefaultPasswordPatternPolicy
Password.policy.extensions.3.pattern=^((?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%&*])).{0,100}$
Password.policy.extensions.3.errorMsg='Password pattern policy violated. Password should contain a digit[0-9], a lower case letter[a-z], an upper case letter[A-Z], one of !@#$%&* characters'

For testing this, my password should pass the validations of both extension 1 and 2. So I’ll give the username ‘tharindu’ and password ‘123456’. I get the following error which means extension 3 has validated the password correctly.


Apart from above, we can write our own password pattern validation extensions. We can remove the default 3 extensions and put only our own extensions as well. I will demonstrate how to write our own custom password pattern validation extension is next post. (You can find the article in [5])

References


Tharindu Edirisinghe
Platform Security Team
WSO2

No comments:

Post a Comment