Created
April 8, 2015 17:53
-
-
Save girirajsharma/1c53979782cd31d02c04 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Aim: Configurable policy to Restrict user from using N old passwords again. | |
https://issues.jboss.org/browse/KEYCLOAK-405 | |
The proposed implementation via "createdDate" : I had almost finished doing this but then it din't look good to me. | |
Each time a user logins, we are required to | |
* Fetch all user credential entities and iterate to check the Credential type PASSWORD and check if it matches with the new password being set. | |
* if the policy is set, fetch all credential entities and iterate to check PASSWORD_EXPIRED type. | |
* Sort the fetched credentials on the basis of date directly via query or via utility (Collections.sort(...) etc.) | |
* Check if any of the old password (N old) is being used to reset the current password. | |
* If new password doesn't matches with n old passwords, remove the most recent password type, set it to PASSWORD_EXPIRED and add it again to the user credentials. Add current(new) credentials to the user credentials by keeping it set to the type PASSWORD. | |
* If PASSWORD_EXPIRED types is greater than N, perform CRUD and delete. | |
* If value of N is greater, we shall have many credentials of different types for each user and CRUD/iterating/ordering them leads | |
to complexity and hits performance. | |
* Boundary/critical cases like greater values of N, frequent changes in values of N are critical to CRUD operations. | |
Alternative: | |
Currently, we have certain types of credential for each user and each user has only one PASSWORD type credential. | |
WE can add a field oldPassords to CredentialEntity like | |
@Lob | |
@Column | |
final String oldPassords; | |
OR | |
@Column(length=1000) | |
final String oldPassords; | |
This string will update with each successful password reset. | |
Suppose N=3 | |
Reset 1: Password = "a" oldPassords="a"; | |
Reset 1: Password = "a" oldPassords="a"; | |
Reset 1: Password = "a" oldPassords="a"; | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment