Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

AEM User password policy

Eric_Stricker
Level 4
Level 4

AEM 6.5.4 -

I was looking for a guide/ sample on User password management. Found reference to 6.1 and even 5.x version, some no longer available, is there something more current?

 

1. configuring the user password policy

a. Max age allowed for a password

b. How many characters

c. Password Complexity rules

d. How often you can repeat your password

e. Disable user after x number of failed tries

....

 

2. Through servlets/models have back-end functions that will be called from our own site pages

a. Forgot my UserID

b. Forgot my password

c. Validate complexity and the updated password

d. Reset password

e. Unlock user account

....

l
1 Accepted Solution
Mayank_Gandhi
Correct answer by
Community Advisor
Community Advisor
4 Replies
Mayank_Gandhi
Correct answer by
Community Advisor
Community Advisor
Eric_Stricker
Level 4
Level 4
@Mayank_Gandhi, thank you. Let me have a look and see if we can get the answers from there.
Eric_Stricker
Level 4
Level 4

Some additional comments for others

 

1. Password complexity: "Apache Jackrabbit Oak AuthorizableActionProvider" (https://jackrabbit.apache.org/oak/docs/security/user/authorizableaction.html) (http://www.sgaemsolutions.com/2019/10/how-to-set-password-policy-for-aem-users.html?m=1)

 

2. for AEM Form on JEE there is a feature to disable user after x number of failed login tries +  second parameter to unlock the account automatically after y number of minutes)

(https://docs.adobe.com/content/help/en/experience-manager-65/forms/administrator-help/setup-manage-d...)

This feature was also requested before for AEM on OSGI see: AEM Account Lockout feature request (https://experienceleaguecommunities.adobe.com/t5/adobe-experience-cloud-ideas/aem-account-lockout-fe....

@Mayank_GandhiAny update on the status of this?

 

As a solution:

There is a suggestion to overwrite the /libs/granite/core/components/login/login.jsp to add a counter to the user Account. See AEM Account lock feature  (https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-account-lock-feature/t...

You can then combine this with the "rep:disabled" node under a userAccount to disable the user after x fail tries and either force the user to reset his/her password or write a scheduled job to find and enable these accounts again after x minutes. 

Eric_Stricker
Level 4
Level 4

To add on, I came across this example that override the /j_security_check. We can look at this and adjust it accordingly to to implement our failed user count. Will try to do this in the coming days. 

https://helpx.adobe.com/experience-manager/using/twofactor64.html