Behaviors
Top  |
|
Password Validation |
Content |
||||||||||||||||||||
|
Behaviors |
|
|
|
Whenever a System Administrator assigns a password or a LabVantage User changes his password, LabVantage uses properties of the Password Validator to determine if the password meets certain criteria. Passwords are not checked against these properties during logon.
| Successful Logon |
During logon, passwords are checked only to ensure that they are an exact match for the expected password. Following a successful logon:
| a. | The number of attempted logons increments. This value is in the "totalattempts" column of the SysUser table. |
| b. | If the "Log Successful Logons" Security Option is set to "Yes", an entry is made in the Tracelog table to record the successful logon. |
| c. | The number of unsuccessful logons resets to zero. This value is in the "failedattempts" column of the SysUser table. |
| Incorrect Passwords |
When a "known user" (recognized by LabVantage) provides an incorrect password:
| a. | The number of unsuccessful logons increments. If this value reaches the
"Max Logon Attempts" Security
Option, the user is disabled with a reason (such
as "Max logon attempts exceeded"). These values are in the "disabledflag"
and "disabledreason" columns of the SysUser table. A user cannot logon if
he is disabled. The System Administrator can enable (and disable) users
in the Users List (see Users).
An email notification of the disabled user is sent to the LabVantage system administrator. The server property "Security Violation Email Address" determines the destination address. |
| b. | If the "Log Logon Failures" Security Option is set to "Yes", an entry is made in the Tracelog table to record the unsuccessful logon attempt. |
| c. | The user is redirected to an error page. |
If rules defined by the Password Validator properties have changed, the user is denied logon and prompted to ensure that he changes passwords to match the new rules.
| Expired Passwords |
When a "known user" (recognized by LabVantage) provides an expired password:
| a. | Behavior is the same as Incorrect Passwords, items a and b. |
| b. | Also, if LabVantage detects that the password has expired or is about to expire, it loads a page (WEB-CORE/error/password.jsp). If the password has expired, this page lets the user change the password. If the password is about to expire, the user has the option of ignoring the expiry warning. The LVX Profile Properties Password Expiry Days and Password Expiry Warning determine if expiry warnings are issued to the user (see Password-Related Logon Options below). |
| Unknown User |
When an "unknown user" (not recognized by LabVantage) attempts to logon, an entry is made in the Tracelog table to record the unsuccessful logon attempt and the user is denied access. Error messages for known and unknown user logon attempts are the same. As in Incorrect Passwords, item a, an email notification of the disabled user is sent to the LabVantage system administrator.
Password-Related Logon Options |
|
|
Set password logon options using the Security Options described in the System Configuration settings.
Password Validator Properties |
|
|
The Password Validator lets you define what constitutes a "valid password".
| Property Name | Description | ||||
| Exact Length | To require that valid passwords consist of a specified number of contiguous characters, enter the number of characters. Leave the Minimum Length and Maximum Length (below) blank. | ||||
| Minimum Length | To require that valid passwords consist of at least a minimum number of contiguous characters, enter the minimum number of characters. Leave the Exact Length (above) blank. | ||||
| Maximum Length | To require that valid passwords consist of less than a certain number of contiguous characters, enter the maximum number of allowable characters. Leave the Exact Length (above) blank. | ||||
| Letter Only | "Yes" restricts valid passwords to only alphabetic characters. Numeric characters and symbols will be disallowed. | ||||
| Number Only | "Yes" restricts valid passwords to only numeric characters. Alphabetic characters and symbols will be disallowed. | ||||
| Alphanumerics Only | "Yes" restricts valid passwords to only alphabetic and numeric characters. Symbols will be disallowed. | ||||
| At Least 1 Letter | "Yes" requires that valid passwords contain at least one alphabetic character. | ||||
| At Least 1 Lower Case Letter | "Yes" requires that valid passwords contain at least one lower case alphabetic character. This works only if System Configuration → Security Options is setup to use case-sensitive passwords. | ||||
| At Least 1 Upper Case Letter | "Yes" requires that valid passwords contain at least one upper case alphabetic character. This works only if System Configuration → Security Options is setup to use case-sensitive passwords. | ||||
| At Least 1 Number | "Yes" requires that valid passwords contain at least one numeric character. | ||||
| At Least 1 Symbol | "Yes" requires that valid passwords contain at least one symbol. | ||||
| Stop UserId | "Yes" requires that valid passwords be different from the current user's User Id. | ||||
| Stop List | Passwords that will be rejected as invalid. Use Add Word to add
a disallowed password.
|
||||
|
|||||
| Stop Repeats (count) | When a User changes his password, "Yes" prevents reuse of the same password this many consecutive times. | ||||
| Stop Repeats (days) | When a User changes his password, "Yes" prevents reuse of the same password within this number of days. | ||||
Password Encryption |
|
|
LabVantage installations running under JDK 1.5 or higher implement RSA password encryption (Rivest/Shamir/Adleman at MIT) using a jsbn (JavaScript Big Integer implementation) library developed by Thomas J. Wu of Stanford University (http://www-cs-students.stanford.edu/~tjw/).
Functionality:
To use the JavaScript encryption on a custom logon page, the page requires:
| • | An include for the JavaScript, calling <%=sapphire.util.HttpUtil.getEncryptionJS()%>. |
| • | Immediately prior to submitting the logon form, the password field must be encrypted by calling the JavaScript method sapphire.encryptField( fieldid ), which is called on the sapphire core object in the JavaScript Public API. |
Password Validation in Java Methods |
|
|
In sapphire.accessor.ConnectionProcessor, the methods getConnectionId(), checkUser() and changePassword() call an authenticateUser routine that makes certain all of the following conditions are true:
| • | The user exists (it cannot authenticate a "system" user). |
| • | The user is not disabled. |
| • | Users are not accessing tools incompatible with their user type. |
| • | The entered password matches the expected password. |
| • | The password criteria match that defined in the Password Validator. |
| • | The licensed user counts are not exceeded. |
| • | The password has not expired or is within the expiry warning time. |
Also in sapphire.accessor.ConnectionProcessor, the isValidPassword() method lets you ensure a user changes his password if the Password Validator criteria have changed.
