Skip to content

DRYD-2002: Password Complexity Requirements#550

Open
mikejritter wants to merge 11 commits into
collectionspace:developfrom
mikejritter:feature/dryd-2002-passwords
Open

DRYD-2002: Password Complexity Requirements#550
mikejritter wants to merge 11 commits into
collectionspace:developfrom
mikejritter:feature/dryd-2002-passwords

Conversation

@mikejritter

@mikejritter mikejritter commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

What does this do?

  • Add tenant binding configuration for password requirements
  • Add basic password requirement validators
  • Add endpoint to get password requirement config
  • Validate passwords during Account create and update requests
  • Validate passwords during password reset requests
  • Pass password requirement config to the service-ui template for form validation

Why are we doing this? (with JIRA link)
Jira: https://collectionspace.atlassian.net/browse/DRYD-2002

This is for better compatibility for the HECVAT. It adds configurable password requirements through the tenant bindings and applies them to the Account create/update endpoints as well as the password reset request. For validation in the front end, the password requirement config is passed as a Map to the service-ui template which handles rendering of the form.

How should this be tested? Do these changes have associated tests?

Dependencies for merging? Releasing to production?
It should be noted this work is done on top of the #547 PR

Has the application documentation been updated for these changes?
No. Documentation will need to be added.

Did someone actually run this code to verify it works?
@mikejritter tested locally

Have any new security vulnerabilities been handled?
n/a

@mikejritter mikejritter marked this pull request as ready for review July 6, 2026 21:45
@mikejritter mikejritter requested a review from spirosdi July 6, 2026 21:45
@spirosdi

spirosdi commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

public static void validatePassword(String password) {
if (password == null) {
String msg = "Password missing ";
logger.error(msg);
throw new IllegalArgumentException(msg);
}
if (password.length() < MIN_PASSWORD_LENGTH
|| password.length() > MAX_PASSWORD_LENGTH) {
String msg = "Bad password: '"+password+"': length should be >= "
+ MIN_PASSWORD_LENGTH + " and <= " + MAX_PASSWORD_LENGTH;
logger.error(msg);
throw new IllegalArgumentException(msg);
}
}
should be skipped when tenant config is set. Otherwise min 8/max 24 runs on every create/update/reset and tenant config is ignored.

The legacy check error message includes the password:
image
We should definitely drop that.

PasswordRequirementConfig passwordRequirementConfig = tenantBinding.getPasswordRequirementConfig();
if (passwordRequirementConfig != null && passwordRequirementConfig.isEnabled()) {
uiConfig.put("passwordRequirements", Map.of(
"minLength", passwordRequirementConfig.getMinLength(),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

getMinLength() is a nullable Integer (minOccurs="0" in tenant.xsd) so this throws a NPE when minLength is not set. I confirmed getting a 500 on the reset page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants