This chapter includes the following sections:
WebLogic Server includes a Password Validation provider, which is configured by default in each security realm. The Password Validation provider manages and enforces a set of configurable password composition rules, and is automatically invoked by a supported authentication provider whenever a password is created or updated for a user in the realm. When invoked, the Password Validation provider performs a check to determine whether the password meets the criteria established by the composition rules. The password is then accepted or rejected as appropriate.
The following authentication providers can be used with the Password Validation provider:
WebLogic Authentication provider
SQL Authenticator provider
LDAP Authentication provider
Oracle Internet Directory Authentication Provider
Oracle Virtual Directory Authentication Provider
Active Directory Authentication provider
ODSEE Authentication provider
Novell Authentication provider
Open LDAP Authentication provider
For information about configuring the Password Validation provider in the WebLogic Server Administration Console, see Configure the Password Validation provider in the Oracle WebLogic Server Administration Console Online Help.
By default, the Password Validation provider is configured to require passwords that have a minimum length of eight characters. When used with one of the supported LDAP authentication providers listed in the preceding section, the Password Validation provider also requires that passwords meet the additional criteria listed in Table 17-1.
Table 17-1 Additional Password Composition Rules Required by Password Validation Provider When Used with an LDAP Authentication Provider
|LDAP Authentication Provider||Additional Password Composition Requirement|
At least one of the characters in the password must be numeric.
At least one of the characters in the password must be non-alphabetic. For example, a numeric character, an asterisk (*), or an octothorpe (#).
The password composition rules you optionally can configure for the Password Validation provider include the following:
User name policies — Rules that determine whether the password may consist of or contain the user's name, or the reverse of that name
Password length policies — Rules for the minimum or maximum number of characters in a password (composition rules may specify both a minimum and maximum length)
Character policies — Rules regarding the inclusion of the following characters in the password:
Lowercase alphabetic characters
Uppercase alphabetic characters
For information about the specific composition rules that may be configured for the Password Validation provider, including the settings for these rules that Oracle recommends for a production environment, see "System Password Validation Provider: Provider Specific" in the Oracle WebLogic Server Administration Console Online Help.
Setting password composition rules is only one component of hardening the WebLogic Server environment against brute-force password attacks. To protect user accounts, you should also configure user lockout. User lockout specifies the number of incorrect passwords that may be entered within a given interval of time before the user is locked out of his or her account. For more information, see Protecting User Accounts.
By default, the WebLogic Authentication provider requires a minimum password length of 8 characters, of which one is non-alphabetic. However, the minimum password length enforced by this provider can be customized. If the WebLogic Authentication provider and Password Validation provider are both configured in the security realm, and you attempt to create a password that does not meet the minimum length enforced by the WebLogic Authentication provider, an error is generated. For example, the following message is displayed in the WebLogic Server Administration Console:
Error [Security:090285]password must be at least 8 characters long Error Errors must be corrected before proceeding.
If the WebLogic Authentication provider rejects a password because it does not meet the minimum length requirement, the Password Validation provider is not called. To ensure that the Password Validator is always used in conjunction with the WebLogic Authentication provider, make sure that the minimum password length is the same for both providers.
Using the WebLogic Server Administration Console, you can set the minimum password length for WebLogic Authentication provider by completing the following steps:
For information about how to set the minimum password length in the Password Validation provider, see Using WLST to Create and Configure the Password Validation Provider.
When the Password Validation provider and an LDAP Authentication provider (for example, Oracle Internet Directory Authentication provider) are configured in the security realm, passwords are validated through two separate policy checks: one from Password Validation provider, and the other from the LDAP server, which has its own password policy check. For example, Oracle Internet Directory has its own password validation mechanism, which is controlled by the LDAP server administrator. These two password validation mechanisms are separate, and each has its own set of password composition rules. If the composition rules are inconsistent, failures may occur in the WebLogic Server Administration Console when you try to create or reset a password, even if the rules for the Password Validation provider are enforced. Therefore you should make sure that the password composition rules for the Password Validation provider do not conflict with those for the LDAP server.
The Password Validation provider can be administered in the security realm via a WLST script that performs operations on the
SystemPasswordValidatorMBean, described in the MBean Reference for Oracle WebLogic Server. You may create and configure the Password Validation provider from a single WLST script, or you may have separate scripts that perform these functions separately. The following topics explain how, providing sample WLST code snippets:
The Password Validation provider is created automatically in the security realm when you create a new domain. However, you can use WLST to create one as well, as shown in Example 17-1. This code does the following:
SystemPasswordValidator) has been created:
If the provider has been created, the script displays a message confirming its presence.
If the provider has not been created, the script creates it in the security realm and displays a message indicating that it has been created.
Example 17-1 Creating the System Password Validator
edit() startEdit() realm = cmo.getSecurityConfiguration().getDefaultRealm() pwdvalidator = realm.lookupPasswordValidator('SystemPasswordValidator') if pwdvalidator: print 'Password Validator provider is already created' else: # Create SystemPasswordValidator syspwdValidator = realm.createPasswordValidator('SystemPasswordValidator', 'com.bea.security.providers.authentication.passwordvalidator.SystemPasswordValidator') print "--- Creation of System Password Validator succeeded!" save() activate()
The following example shows the WLST code that sets the composition rules for the Password Validation provider. For information about the rule attributes that can be set in this script, see the description of the
SystemPasswordValidatorMBean in the MBean Reference for Oracle WebLogic Server.
edit() startEdit() # Configure SystemPasswordValidator try: pwdvalidator.setMinPasswordLength(8) pwdvalidator.setMaxPasswordLength(12) pwdvalidator.setMaxConsecutiveCharacters(3) pwdvalidator.setMaxInstancesOfAnyCharacter(4) pwdvalidator.setMinAlphabeticCharacters(1) pwdvalidator.setMinNumericCharacters(1) pwdvalidator.setMinLowercaseCharacters(1) pwdvalidator.setMinUppercaseCharacters(1) pwdvalidator.setMinNonAlphanumericCharacters(1) pwdvalidator.setMinNumericOrSpecialCharacters(1) pwdvalidator.setRejectEqualOrContainUsername(true) pwdvalidator.setRejectEqualOrContainReverseUsername(true) print " --- Configuration of SystemPasswordValidator complete ---" except Exception,e: print e save() activate()