Re: svn commit: r1418996 - in /ofbiz/trunk/framework: common/config/SecurityextUiLabels.xml common/src/org/ofbiz/common/login/LoginServices.java security/config/security.properties

> Author: jleroux
> Date: Sun Dec  9 14:59:52 2012
> New Revision: 1418996
>
> URL: http://svn.apache.org/viewvc?rev=1418996&view=rev
> Log:
> A slightly modified patch from Sumit Pandit for "Additional Validation for Password  : Make password pattern driven" https://issues.apache.org/jira/browse/OFBIZ-4958
>
> Provides an additional validation for password  with following capability to the system:
>
> Admin can enable/disable pattern based password capability of system. Configuration will reside in security.property file.
>   To enable : security.login.password.pattern.enable=true
>   To disable: security.login.password.pattern.enable=false
>
> Admin is flexible to provide his pattern string by making pattern more/less restrictive as per system requirement. Configuration will reside in security.property file.
>   Example: security.login.password.pattern=^.*(?=. {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$
>
> Admin can provide custom error message string which will display to end user if wrong password is entered. Configuration will reside in security.properity file.
>
> jleroux: I quickly handled the error message localisation for the OOTB case. It's more complicated when the pattern gets complex...
>
> Modified:
>      ofbiz/trunk/framework/common/config/SecurityextUiLabels.xml
>      ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>      ofbiz/trunk/framework/security/config/security.properties
>

> On 12/9/2012 2:59 PM, [hidden email] wrote:
>> Author: jleroux
>> Date: Sun Dec  9 14:59:52 2012
>> New Revision: 1418996
>>
>> URL: http://svn.apache.org/viewvc?rev=1418996&view=rev
>> Log:
>> A slightly modified patch from Sumit Pandit for "Additional Validation for Password  : Make password pattern driven"
>> https://issues.apache.org/jira/browse/OFBIZ-4958 
>>
>> Provides an additional validation for password  with following capability to the system:
>>
>> Admin can enable/disable pattern based password capability of system. Configuration will reside in security.property file.
>>   To enable : security.login.password.pattern.enable=true
>>   To disable: security.login.password.pattern.enable=false
>>
>> Admin is flexible to provide his pattern string by making pattern more/less restrictive as per system requirement. Configuration
>>   will reside in security.property file. Example: security.login.password.pattern=^.*(?=. {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$
>>
>> Admin can provide custom error message string which will display to end user if wrong password is entered. Configuration will
>> reside in security.properity file.
>>
>> jleroux: I quickly handled the error message localisation for the OOTB case. It's more complicated when the pattern gets
>> complex...
>>
>> Modified:
>>      ofbiz/trunk/framework/common/config/SecurityextUiLabels.xml
>>      ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>      ofbiz/trunk/framework/security/config/security.properties
>>
>
> Modified:
> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=1418996&r1=1418995&r2=1418996&view=diff
> ==============================================================================
> ---
> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
> (original) +++
> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
> Sun Dec 9 14:59:52 2012 @@ -23,6 +23,8 @@ import java.sql.Timestamp;
> import java.util.List; import java.util.Locale; import java.util.Map;
> +import java.util.regex.Matcher; +import java.util.regex.Pattern; import
> javax.transaction.Transaction; @@ -62,6 +64,8 @@ public class
> LoginServices { public static final String module =
> LoginServices.class.getName(); public static final String resource =
> "SecurityextUiLabels"; + public static boolean usePasswordPattern =
> "true".equals(UtilProperties.getPropertyValue("security.properties",
> "security.login.password.pattern.enable")); + public static String
> passwordPattern = UtilProperties.getPropertyValue("security.properties",
> "security.login.password.pattern");
>
>
> Please do not store property values in static class fields - that makes
> it impossible to change the settings at run-time.
>
> -Adrian

> Adrian Crum wrote:
>> On 12/9/2012 2:59 PM, [hidden email] wrote:
>>> Author: jleroux
>>> Date: Sun Dec  9 14:59:52 2012
>>> New Revision: 1418996
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1418996&view=rev
>>> Log:
>>> A slightly modified patch from Sumit Pandit for "Additional  
>>> Validation for Password  : Make password pattern driven"
>>> https://issues.apache.org/jira/browse/OFBIZ-4958
>>>
>>> Provides an additional validation for password  with following  
>>> capability to the system:
>>>
>>> Admin can enable/disable pattern based password capability of  
>>> system. Configuration will reside in security.property file.
>>>   To enable : security.login.password.pattern.enable=true
>>>   To disable: security.login.password.pattern.enable=false
>>>
>>> Admin is flexible to provide his pattern string by making pattern  
>>> more/less restrictive as per system requirement. Configuration
>>>   will reside in security.property file. Example:  
>>> security.login.password.pattern=^.*(?=.  
>>> {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$
>>>
>>> Admin can provide custom error message string which will display  
>>> to end user if wrong password is entered. Configuration will
>>> reside in security.properity file.
>>>
>>> jleroux: I quickly handled the error message localisation for the  
>>> OOTB case. It's more complicated when the pattern gets
>>> complex...
>>>
>>> Modified:
>>>      ofbiz/trunk/framework/common/config/SecurityextUiLabels.xml
>>>      
>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>      ofbiz/trunk/framework/security/config/security.properties
>>>
>>
>> Modified:
>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=1418996&r1=1418995&r2=1418996&view=diff
>> ==============================================================================
>> ---
>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>> (original) +++
>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>> Sun Dec 9 14:59:52 2012 @@ -23,6 +23,8 @@ import java.sql.Timestamp;
>> import java.util.List; import java.util.Locale; import java.util.Map;
>> +import java.util.regex.Matcher; +import java.util.regex.Pattern; import
>> javax.transaction.Transaction; @@ -62,6 +64,8 @@ public class
>> LoginServices { public static final String module =
>> LoginServices.class.getName(); public static final String resource =
>> "SecurityextUiLabels"; + public static boolean usePasswordPattern =
>> "true".equals(UtilProperties.getPropertyValue("security.properties",
>> "security.login.password.pattern.enable")); + public static String
>> passwordPattern = UtilProperties.getPropertyValue("security.properties",
>> "security.login.password.pattern");
>>
>>
>> Please do not store property values in static class fields - that makes
>> it impossible to change the settings at run-time.
>>
>> -Adrian
>
> Sorry it's a bit more involved than expected for this morning, could  
> you please adapt it to follow your need?
> Just curious, are you using PropertyUtils class of Apache commons  
> beanutils to modify properties of Java object at runtime?
>
> Read more:  
> http://javarevisited.blogspot.com/2012/04/java-propertyutils-example-getting-and.html#ixzz2Ej9FUJIY
>

> Quoting Jacques Le Roux <[hidden email]>:
>
>> Adrian Crum wrote:
>>> On 12/9/2012 2:59 PM, [hidden email] wrote:
>>>> Author: jleroux
>>>> Date: Sun Dec  9 14:59:52 2012
>>>> New Revision: 1418996
>>>>
>>>> URL: http://svn.apache.org/viewvc?rev=1418996&view=rev
>>>> Log:
>>>> A slightly modified patch from Sumit Pandit for "Additional
>>>> Validation for Password  : Make password pattern driven"
>>>> https://issues.apache.org/jira/browse/OFBIZ-4958
>>>>
>>>> Provides an additional validation for password  with following
>>>> capability to the system:
>>>>
>>>> Admin can enable/disable pattern based password capability of
>>>> system. Configuration will reside in security.property file.
>>>>   To enable : security.login.password.pattern.enable=true
>>>>   To disable: security.login.password.pattern.enable=false
>>>>
>>>> Admin is flexible to provide his pattern string by making pattern
>>>> more/less restrictive as per system requirement. Configuration
>>>>   will reside in security.property file. Example:
>>>> security.login.password.pattern=^.*(?=.
>>>> {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$
>>>>
>>>> Admin can provide custom error message string which will display
>>>> to end user if wrong password is entered. Configuration will
>>>> reside in security.properity file.
>>>>
>>>> jleroux: I quickly handled the error message localisation for the
>>>> OOTB case. It's more complicated when the pattern gets
>>>> complex...
>>>>
>>>> Modified:
>>>>      ofbiz/trunk/framework/common/config/SecurityextUiLabels.xml
>>>>    
>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>
>>>>      ofbiz/trunk/framework/security/config/security.properties
>>>>
>>>
>>> Modified:
>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=1418996&r1=1418995&r2=1418996&view=diff
>>>
>>> ==============================================================================
>>>
>>> ---
>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>
>>> (original) +++
>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>
>>> Sun Dec 9 14:59:52 2012 @@ -23,6 +23,8 @@ import java.sql.Timestamp;
>>> import java.util.List; import java.util.Locale; import java.util.Map;
>>> +import java.util.regex.Matcher; +import java.util.regex.Pattern;
>>> import
>>> javax.transaction.Transaction; @@ -62,6 +64,8 @@ public class
>>> LoginServices { public static final String module =
>>> LoginServices.class.getName(); public static final String resource =
>>> "SecurityextUiLabels"; + public static boolean usePasswordPattern =
>>> "true".equals(UtilProperties.getPropertyValue("security.properties",
>>> "security.login.password.pattern.enable")); + public static String
>>> passwordPattern =
>>> UtilProperties.getPropertyValue("security.properties",
>>> "security.login.password.pattern");
>>>
>>>
>>> Please do not store property values in static class fields - that
>>> makes
>>> it impossible to change the settings at run-time.
>>>
>>> -Adrian
>>
>> Sorry it's a bit more involved than expected for this morning, could
>> you please adapt it to follow your need?
>> Just curious, are you using PropertyUtils class of Apache commons
>> beanutils to modify properties of Java object at runtime?
>>
>> Read more:
>> http://javarevisited.blogspot.com/2012/04/java-propertyutils-example-getting-and.html#ixzz2Ej9FUJIY
>>
>>
>
> No, I use a text editor to modify the properties file.

> On 12/11/2012 03:46 AM, [hidden email] wrote:
>> Quoting Jacques Le Roux <[hidden email]>:
>>
>>> Adrian Crum wrote:
>>>> On 12/9/2012 2:59 PM, [hidden email] wrote:
>>>>> Author: jleroux
>>>>> Date: Sun Dec  9 14:59:52 2012
>>>>> New Revision: 1418996
>>>>>
>>>>> URL: http://svn.apache.org/viewvc?rev=1418996&view=rev
>>>>> Log:
>>>>> A slightly modified patch from Sumit Pandit for "Additional
>>>>> Validation for Password  : Make password pattern driven"
>>>>> https://issues.apache.org/jira/browse/OFBIZ-4958
>>>>>
>>>>> Provides an additional validation for password  with following
>>>>> capability to the system:
>>>>>
>>>>> Admin can enable/disable pattern based password capability of
>>>>> system. Configuration will reside in security.property file.
>>>>>    To enable : security.login.password.pattern.enable=true
>>>>>    To disable: security.login.password.pattern.enable=false
>>>>>
>>>>> Admin is flexible to provide his pattern string by making pattern
>>>>> more/less restrictive as per system requirement. Configuration
>>>>>    will reside in security.property file. Example:
>>>>> security.login.password.pattern=^.*(?=.
>>>>> {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$
>>>>>
>>>>> Admin can provide custom error message string which will display
>>>>> to end user if wrong password is entered. Configuration will
>>>>> reside in security.properity file.
>>>>>
>>>>> jleroux: I quickly handled the error message localisation for the
>>>>> OOTB case. It's more complicated when the pattern gets
>>>>> complex...
>>>>>
>>>>> Modified:
>>>>>       ofbiz/trunk/framework/common/config/SecurityextUiLabels.xml
>>>>>      
>>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>>
>>>>>       ofbiz/trunk/framework/security/config/security.properties
>>>>>
>>>> Modified:
>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=1418996&r1=1418995&r2=1418996&view=diff
>>>>
>>>> ==============================================================================
>>>>
>>>> ---
>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>
>>>> (original) +++
>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>
>>>> Sun Dec 9 14:59:52 2012 @@ -23,6 +23,8 @@ import java.sql.Timestamp;
>>>> import java.util.List; import java.util.Locale; import java.util.Map;
>>>> +import java.util.regex.Matcher; +import java.util.regex.Pattern;
>>>> import
>>>> javax.transaction.Transaction; @@ -62,6 +64,8 @@ public class
>>>> LoginServices { public static final String module =
>>>> LoginServices.class.getName(); public static final String resource =
>>>> "SecurityextUiLabels"; + public static boolean usePasswordPattern =
>>>> "true".equals(UtilProperties.getPropertyValue("security.properties",
>>>> "security.login.password.pattern.enable")); + public static String
>>>> passwordPattern =
>>>> UtilProperties.getPropertyValue("security.properties",
>>>> "security.login.password.pattern");
>>>>
>>>>
>>>> Please do not store property values in static class fields - that
>>>> makes
>>>> it impossible to change the settings at run-time.
>>>>
>>>> -Adrian
>>> Sorry it's a bit more involved than expected for this morning, could
>>> you please adapt it to follow your need?
>>> Just curious, are you using PropertyUtils class of Apache commons
>>> beanutils to modify properties of Java object at runtime?
>>>
>>> Read more:
>>> http://javarevisited.blogspot.com/2012/04/java-propertyutils-example-getting-and.html#ixzz2Ej9FUJIY
>>>
>>>
>> No, I use a text editor to modify the properties file.
> And then you go to /webtools/ and clear a cache item, and expect
> anything that has previously read the .properties file to get the new
> value.
>
> The way this code is written, is that the value will be read *once*
> when the class is loaded, and then no new value will ever be read.
>
> (this is not directed at Adrian)

> On 12/11/2012 6:34 PM, Adam Heath wrote:
>> On 12/11/2012 03:46 AM, [hidden email] wrote:
>>> Quoting Jacques Le Roux <[hidden email]>:
>>>
>>>> Adrian Crum wrote:
>>>>> On 12/9/2012 2:59 PM, [hidden email] wrote:
>>>>>> Author: jleroux
>>>>>> Date: Sun Dec  9 14:59:52 2012
>>>>>> New Revision: 1418996
>>>>>>
>>>>>> URL: http://svn.apache.org/viewvc?rev=1418996&view=rev
>>>>>> Log:
>>>>>> A slightly modified patch from Sumit Pandit for "Additional
>>>>>> Validation for Password  : Make password pattern driven"
>>>>>> https://issues.apache.org/jira/browse/OFBIZ-4958
>>>>>>
>>>>>> Provides an additional validation for password  with following
>>>>>> capability to the system:
>>>>>>
>>>>>> Admin can enable/disable pattern based password capability of
>>>>>> system. Configuration will reside in security.property file.
>>>>>>    To enable : security.login.password.pattern.enable=true
>>>>>>    To disable: security.login.password.pattern.enable=false
>>>>>>
>>>>>> Admin is flexible to provide his pattern string by making pattern
>>>>>> more/less restrictive as per system requirement. Configuration
>>>>>>    will reside in security.property file. Example:
>>>>>> security.login.password.pattern=^.*(?=.
>>>>>> {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$
>>>>>>
>>>>>> Admin can provide custom error message string which will display
>>>>>> to end user if wrong password is entered. Configuration will
>>>>>> reside in security.properity file.
>>>>>>
>>>>>> jleroux: I quickly handled the error message localisation for the
>>>>>> OOTB case. It's more complicated when the pattern gets
>>>>>> complex...
>>>>>>
>>>>>> Modified:
>>>>>>       ofbiz/trunk/framework/common/config/SecurityextUiLabels.xml
>>>>>>      
>>>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>>>
>>>>>>       ofbiz/trunk/framework/security/config/security.properties
>>>>>>
>>>>> Modified:
>>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>>
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java?rev=1418996&r1=1418995&r2=1418996&view=diff
>>>>>
>>>>> ==============================================================================
>>>>>
>>>>> ---
>>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>>
>>>>> (original) +++
>>>>> ofbiz/trunk/framework/common/src/org/ofbiz/common/login/LoginServices.java
>>>>>
>>>>> Sun Dec 9 14:59:52 2012 @@ -23,6 +23,8 @@ import java.sql.Timestamp;
>>>>> import java.util.List; import java.util.Locale; import java.util.Map;
>>>>> +import java.util.regex.Matcher; +import java.util.regex.Pattern;
>>>>> import
>>>>> javax.transaction.Transaction; @@ -62,6 +64,8 @@ public class
>>>>> LoginServices { public static final String module =
>>>>> LoginServices.class.getName(); public static final String resource =
>>>>> "SecurityextUiLabels"; + public static boolean usePasswordPattern =
>>>>> "true".equals(UtilProperties.getPropertyValue("security.properties",
>>>>> "security.login.password.pattern.enable")); + public static String
>>>>> passwordPattern =
>>>>> UtilProperties.getPropertyValue("security.properties",
>>>>> "security.login.password.pattern");
>>>>>
>>>>>
>>>>> Please do not store property values in static class fields - that
>>>>> makes
>>>>> it impossible to change the settings at run-time.
>>>>>
>>>>> -Adrian
>>>> Sorry it's a bit more involved than expected for this morning, could
>>>> you please adapt it to follow your need?
>>>> Just curious, are you using PropertyUtils class of Apache commons
>>>> beanutils to modify properties of Java object at runtime?
>>>>
>>>> Read more:
>>>> http://javarevisited.blogspot.com/2012/04/java-propertyutils-example-getting-and.html#ixzz2Ej9FUJIY
>>>>
>>>>
>>> No, I use a text editor to modify the properties file.
>> And then you go to /webtools/ and clear a cache item, and expect
>> anything that has previously read the .properties file to get the new
>> value.
>>
>> The way this code is written, is that the value will be read *once*
>> when the class is loaded, and then no new value will ever be read.
>>
>> (this is not directed at Adrian)
>
> Thanks Adam.
>
> -Adrian

> On 12/11/2012 6:34 PM, Adam Heath wrote:
>> On 12/11/2012 03:46 AM, [hidden email] wrote:
>>> Quoting Jacques Le Roux <[hidden email]>:
>>>> Adrian Crum wrote:
>>>>> On 12/9/2012 2:59 PM, [hidden email] wrote:
>>> No, I use a text editor to modify the properties file.
>> And then you go to /webtools/ and clear a cache item, and expect
>> anything that has previously read the .properties file to get the new
>> value.
>>
>> The way this code is written, is that the value will be read *once*
>> when the class is loaded, and then no new value will ever be read.
>>
>> (this is not directed at Adrian)
>
> Thanks Adam.
>
> -Adrian

> Why this did not get through, any ideas :/ !
> I cut and remove the links to try again
>
> ----- Original Message -----
> From: "Jacques Le Roux" <[hidden email]>
> To: <[hidden email]>
> Sent: Wednesday, December 12, 2012 10:00 AM
> Subject: Re: svn commit: r1418996 - in /ofbiz/trunk/framework: common/config/SecurityextUiLabels.xml common/src/org/ofbiz/common/login/LoginServices.java security/config/security.properties
> From: "Adrian Crum" <[hidden email]>
>> On 12/11/2012 6:34 PM, Adam Heath wrote:
>>> On 12/11/2012 03:46 AM, [hidden email] wrote:
>>>> Quoting Jacques Le Roux <[hidden email]>:
>>>>> Adrian Crum wrote:
>>>>>> On 12/9/2012 2:59 PM, [hidden email] wrote:
>>>> No, I use a text editor to modify the properties file.
>>> And then you go to /webtools/ and clear a cache item, and expect
>>> anything that has previously read the .properties file to get the new
>>> value.
>>>
>>> The way this code is written, is that the value will be read *once*
>>> when the class is loaded, and then no new value will ever be read.
>>>
>>> (this is not directed at Adrian)
>>
>> Thanks Adam.
>>
>> -Adrian
>
> Ha yes indeed, forgot properties are also cached in OFBiz.
> OK, clearing all properties.UtilProperties*Cache  is enough.
> I will have a new look when I will get a chance, it needs some refactoring...
> There are a handful of others but none of them seem important
>
> Jacques
>