PasswordValidationAction.java example

Explorer
jackrabbit-master
- jackrabbit-trunk
/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.jackrabbit.core.security.user.action;

import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.core.security.user.PasswordUtility;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.nodetype.ConstraintViolationException;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;

/**
 * <code>PasswordValidationAction</code> provides a simple password validation
 * mechanism with the following configurable option:
 *
 * <ul>
 *     <li><strong>constraint</strong>: a regular expression that can be compiled
 *     to a {@link Pattern} defining validation rules for a password.</li>
 * </ul>
 * <p>
 * The password validation is executed on user creation and upon password
 * change. It throws a <code>ConstraintViolationException</code> if the password
 * validation fails.
 * <p>
 * Example configuration:
 * <pre>
 *    <UserManager class="org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager">
 *       <AuthorizableAction class="org.apache.jackrabbit.core.security.user.action.PasswordValidationAction">
 *          <!--
 *          password length must be at least 8 chars and it must contain at least
 *          one upper and one lowercase ASCII character.
 *          -->
 *          <param name="constraint" value="^.*(?=.{8,})(?=.*[a-z])(?=.*[A-Z]).*"/>
 *       </AuthorizableAction>
 *    </UserManager>
 * </pre>
 *
 * @see org.apache.jackrabbit.api.security.user.UserManager#createUser(String, String)
 * @see User#changePassword(String)
 * @see User#changePassword(String, String)
 */
public class PasswordValidationAction extends AbstractAuthorizableAction {

    /**
     * logger instance
     */
    private static final Logger log = LoggerFactory.getLogger(PasswordValidationAction.class);

    private Pattern pattern;

    //-------------------------------------------------< AuthorizableAction >---
    @Override
    public void onCreate(User user, String password, Session session) throws RepositoryException {
        validatePassword(password, false); // don't force validation of hashed passwords.
    }

    @Override
    public void onPasswordChange(User user, String newPassword, Session session) throws RepositoryException {
        validatePassword(newPassword, true); // force validation of all passwords
    }

    //---------------------------------------------------------< BeanConfig >---
    /**
     * Set the password constraint.
     *
     * @param constraint A regular expression that can be used to validate a new password.
     */
    public void setConstraint(String constraint) {
        try {
            pattern = Pattern.compile(constraint);
        } catch (PatternSyntaxException e) {
            log.warn("Invalid password constraint: {}", e.getMessage());
        }
    }

    //------------------------------------------------------------< private >---
    /**
     * Validate the specified password.
     *
     * @param password The password to be validated
     * @param forceMatch If true the specified password is always validated;
     * otherwise only if it is a plain text password.
     * @throws RepositoryException If the specified password is too short or
     * doesn't match the specified password pattern.
     */
    private void validatePassword(String password, boolean forceMatch) throws RepositoryException {
        if (password != null && (forceMatch || PasswordUtility.isPlainTextPassword(password))) {
            if (pattern != null && !pattern.matcher(password).matches()) {
                throw new ConstraintViolationException("Password violates password constraint (" + pattern.pattern() + ").");
            }
        }
    }
}