Expand my Community achievements bar.

SOLVED

AEM User password policy

Avatar

Level 4

AEM 6.5.4 -

I was looking for a guide/ sample on User password management. Found reference to 6.1 and even 5.x version, some no longer available, is there something more current?

 

1. configuring the user password policy

a. Max age allowed for a password

b. How many characters

c. Password Complexity rules

d. How often you can repeat your password

e. Disable user after x number of failed tries

....

 

2. Through servlets/models have back-end functions that will be called from our own site pages

a. Forgot my UserID

b. Forgot my password

c. Validate complexity and the updated password

d. Reset password

e. Unlock user account

....

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
4 Replies

Avatar

Correct answer by
Employee Advisor

Avatar

Level 4
@Mayank_Gandhi, thank you. Let me have a look and see if we can get the answers from there.

Avatar

Level 4

Some additional comments for others

 

1. Password complexity: "Apache Jackrabbit Oak AuthorizableActionProvider" (https://jackrabbit.apache.org/oak/docs/security/user/authorizableaction.html) (http://www.sgaemsolutions.com/2019/10/how-to-set-password-policy-for-aem-users.html?m=1)

 

2. for AEM Form on JEE there is a feature to disable user after x number of failed login tries +  second parameter to unlock the account automatically after y number of minutes)

(https://docs.adobe.com/content/help/en/experience-manager-65/forms/administrator-help/setup-manage-d...)

This feature was also requested before for AEM on OSGI see: AEM Account Lockout feature request (https://experienceleaguecommunities.adobe.com/t5/adobe-experience-cloud-ideas/aem-account-lockout-fe....

@Mayank_GandhiAny update on the status of this?

 

As a solution:

There is a suggestion to overwrite the /libs/granite/core/components/login/login.jsp to add a counter to the user Account. See AEM Account lock feature  (https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-account-lock-feature/t...

You can then combine this with the "rep:disabled" node under a userAccount to disable the user after x fail tries and either force the user to reset his/her password or write a scheduled job to find and enable these accounts again after x minutes. 

Avatar

Level 4

To add on, I came across this example that override the /j_security_check. We can look at this and adjust it accordingly to to implement our failed user count. Will try to do this in the coming days. 

https://helpx.adobe.com/experience-manager/using/twofactor64.html