A custom event handler to restrict the use of common passwords and claim value based passwords.
Find and open the deployment.toml
file located at <IS_HOME>/repository/conf/
and append the following lines to
register the event handler, and it's subscriptions.
[[event_handler]]
name= "customPasswordPolicyHandler"
subscriptions =["PRE_UPDATE_CREDENTIAL", "PRE_UPDATE_CREDENTIAL_BY_ADMIN", "PRE_ADD_USER"]
[event_handler.properties]
enableCommonPasswordRestriction = true
enableClaimBasedPasswordRestriction = true
restrictedClaims = ["http://wso2.org/claims/username", "http://wso2.org/claims/fullname", ...]
Clone and build the project by executing the following commands sequentially:
git clone https://github.com/deshankoswatte/identity-custom-password-policy-handler.git
mvn clean install
- After successfully building the project, copy the artifacts
com.wso2.password.policy.handler-1.0.0-SNAPSHOT.jar
andcom.wso2.common-1.0.0-SNAPSHOT.jar
from the target folder and paste it inside the<IS HOME>/repository/components/dropins
folder. - Then, copy the
<COMMON_PASSWORDS_FILE_NAME.txt>
file and paste it in<IS HOME>/repository/deployment/server/commonpasswords
(Note: You should create the directorycommonpasswords
if it does not exist). You can find a sample common passwords file named<commonpasswords.txt>
attarget/classes
. - Finally, add the property
-DcommonPasswordFileName="<COMMON_PASSWORDS_FILE_NAME.txt>" \
to thewso2server.sh
file if you want to use a custom common passwords file except the default one.
You can add the following to the <IS HOME>/bin/wso2server.sh
based on your requirement (if you want to use the
DB-based common password validator only):
-DenableDBBasedCommonPasswordValidator=true \
- If you want to activate the DB-based common password validator.-DenableCustomPasswordInsert=true \
- If you have inserted new data to the<COMMON_PASSWORDS_FILE_NAME.txt>
file.-DenableCustomPasswordDelete=true \
- If you want to drop the common password repository on component deactivation.
Start your WSO2 Identity Server by executing the command sh wso2server.sh
from your <IS HOME>/bin
folder.
- Create a user/Update a user's password with a common password such as
1234
or a claim related password such as the username itself. - The user will get a prompt saying that the password contains security vulnerabilities hence requiring to use another password instead.
Operating System - Ubuntu 20.04
Java Version - 1.8
Identity Server Versions - IS-5.11.0