Announcement

Migration of this forum

Dear users of this forum,

we are pleased to inform you that we will be updating the software behind this forum in the near future.

Existing posts, users and categories will remain untouched.

Important:

  • Each user will need to reset their password.
  • Please select "I forgot my password".
  • Enter the email address you used to register in this forum.
  • You will receive an email with a link to set a new password.
  • Please choose a new (secure) password and confirm the process.

We will keep you informed in the pinned thread.

Kind regards,
Your ReportServer Team

Migration des Forums

Liebe Nutzer dieses Forums,

wir freuen uns, euch mitteilen zu können, dass wir in naher Zukunft die Software hinter diesem Forum aktualisieren werden.

Existierende Beiträge, Nutzer und Kategorien bleiben weiterhin bestehen!

Wichtig:

  • Jeder Nutzer muss sein Passwort neu vergeben.
  • Wählt dazu einfach "Ich habe mein Passwort vergessen".
  • Gebt die E-Mail-Adresse ein, mit der ihr registriert seid.
  • Ihr erhaltet eine E-Mail mit einem Link zur Passwortvergabe.
  • Bitte wählt ein neues (sicheres) Passwort und bestätigt den Vorgang.

Wir halten euch im angepinnten Beitrag auf dem Laufenden!

Mit vielen Grüßen
Euer ReportServer Team

Pages: 1

#1 2018-05-31 19:20:42

RTinkess31
Member
Registered: 2018-05-31

Disable Password Change For Certain Users

I'm wondering if it's possible to disable the ability for certain users to change their password?

Offline

#2 2018-06-01 10:01:38

jalbrecht
Administrator
Registered: 2016-10-21

Re: Disable Password Change For Certain Users

Hi RTinkess31,

there is no way to do that out of the box. We will pick up this issue and discuss it and maybe define a property for the Password policy (check https://reportserver.net/en/guides/conf … roperties/ -> 4.9.2 Specifying a Password Policy).

wbr jan

Offline

#3 2018-06-01 10:11:23

IF_Eduardo
Administrator
Registered: 2016-11-01
Website

Re: Disable Password Change For Certain Users

Hi RTinkess31,

you don't have this functionality out-of-the-box, but you can write a hook that implements the net.datenwerke.security.service.usermanager.hooks.ChangePasswordHook hook.
Here you have an example of an existing hook in reportserver:

package net.datenwerke.rs.passwordpolicy.service.hooker;

import java.util.Date;

import net.datenwerke.gxtdto.client.servercommunication.exceptions.ExpectedException;
import net.datenwerke.rs.passwordpolicy.service.BsiPasswordPolicy;
import net.datenwerke.rs.passwordpolicy.service.BsiPasswordPolicyService;
import net.datenwerke.rs.passwordpolicy.service.BsiPasswordPolicyUserMetadata;
import net.datenwerke.rs.utils.crypto.PasswordHasher;
import net.datenwerke.rs.utils.localization.LocalizationServiceImpl;
import net.datenwerke.rs.utils.misc.DateUtils;
import net.datenwerke.security.service.security.locale.SecurityMessages;
import net.datenwerke.security.service.usermanager.entities.User;
import net.datenwerke.security.service.usermanager.hooks.ChangePasswordHook;

import org.apache.commons.lang.StringUtils;

import com.google.inject.Inject;

public class BsiPasswordPolicyChangePasswordHook implements ChangePasswordHook{

	private final static SecurityMessages messages = LocalizationServiceImpl.getMessages(SecurityMessages.class);
	
	private final PasswordHasher passwordHasher;
	
	private final BsiPasswordPolicyService bsiPasswordPolicyService;
	
	@Inject
	public BsiPasswordPolicyChangePasswordHook(
			PasswordHasher passwordHasher,
			BsiPasswordPolicyService bsiPasswordPolicyService) {
		this.passwordHasher = passwordHasher;
		this.bsiPasswordPolicyService = bsiPasswordPolicyService;
	}
	
	@Override
	public void afterPasswordChanged(User user) {
		if(!bsiPasswordPolicyService.isActive())
			return;
		
		BsiPasswordPolicy policy = bsiPasswordPolicyService.getPolicy();
		
		BsiPasswordPolicyUserMetadata data = bsiPasswordPolicyService.getUserMetadata(user);
		
		data.addRecentPassword(user.getPassword(), policy.getHistorySize());
		data.setLastChangedPassword(new Date());
	
		bsiPasswordPolicyService.updateUserMetadata(user, data);
	}
	
	@Override
	public void beforePasswordChanged(User user, String newPassword) throws ExpectedException {
		if(!bsiPasswordPolicyService.isActive())
			return;
		
		BsiPasswordPolicy policy = bsiPasswordPolicyService.getPolicy();
		BsiPasswordPolicyUserMetadata data = bsiPasswordPolicyService.getUserMetadata(user);
		
		/* check minimum password age */
		if(null != data.getLastChangedPassword()){
			int passwordAge = DateUtils.getDeltaDays(data.getLastChangedPassword(), new Date());
			if(passwordAge < policy.getPasswordMinAge()){
				throw new ExpectedException(messages.changePasswordOnceInDays(policy.getPasswordMinAge()));
			}
		}
		
		/* check password history */
		if(data.recentPasswordsContain(newPassword, policy.getHistorySize(), passwordHasher)){
			throw new ExpectedException(messages.changePasswordHistoryFail(policy.getHistorySize()));
		}
		
		/* check password complexity */
		if(!policy.getPasswordComplexitySpecification().isSatisfiedBy(newPassword)){
			throw new ExpectedException(messages.changePasswordComplexityFail(StringUtils.join(policy.getPasswordComplexitySpecification().getErrorCause(newPassword), "\r\n")));
		}

		
	};
}

More information on hooks: https://reportserver.net/en/guides/scri … ortServer/

Regards,
Eduardo

Offline

Pages: 1

Board footer

Powered by FluxBB