Configuring User Password Options

The user password options determine whether passwords can be remembered by the browser, whether users may change their own passwords, and whether password changes are mandatory or optional.

By default, passwords are stored in an encrypted format in the server’s private database. For information about how to change the way passwords are encrypted, see Encrypting User Passwords

Configuring Password Memory

Most browsers have a feature to “remember passwords” that stores passwords for the user. JasperReports Server can send the property autocomplete="off" to indicate that its users’ passwords should not be stored or filled in automatically. Users must then type in their full username and password every time they log in.

As a general security policy, sensitive passwords should not be stored in browsers. Most browsers do not protect the passwords with a master password by default, which makes them vulnerable. Setting autocomplete to off helps ensure that JasperReports Server users do not store their passwords, thus avoiding this possible security risk. Actual behavior depends on the user’s browser settings and how the browser responds to the autocomplete="off" property.

Login encryption described in section Encrypting User Session Login is not compatible with password memory in the browser. Independently of the autocomplete setting, the JavaScript that implements the login encryption clears the password field before submitting the page. As a result, most browsers will not prompt to remember the password when login encryption is enabled, even if the user has password memory enabled in his browser.

When autoCompleteLoginForm is true, as in the default installation, you should ensure that all of your users have a master password in their browser.

Password Memory in the Browser

Configuration File

.../WEB-INF/jasperserver-servlet.xml

Property

Value

Description

autoCompleteLoginForm

true <default>
false

When false, the server sets autocomplete="off" on the login page and browsers will not fill in or prompt to save Jaspersoft passwords. When true, the autocomplete property is not sent at all, and browser behavior depends on user settings.

Enabling Password Expiration

If your security policies require your users to change their passwords at regular intervals, you can enable password expiration. In this case, JasperReports Server prompts users to change their passwords at the interval you specify. For example, if you set the password expiry to 90 days, the server prompts your users to change their passwords every three months. When a user’s password expires, the user cannot log in until she changes her password. The default value is 0; in this case, passwords don’t expire and users are never prompted.

When this option is enabled, the server automatically enables the Change Password option on the Login page, even if allowUserPasswordChange is set to false.

If your users are externally-authenticated, for example with LDAP, do not enable this option.

Password Administration Option

Configuration File

.../WEB-INF/jasperserver-servlet.xml (controls the Login page)

.../WEB-INF/applicationContext-security-web.xml (controls web services)

Property

Value

Description

passwordExpirationInDays

0 <default>
<any other value>

Set the value to any positive, non-zero value to specify the number of days after which a password expires.

Allowing Users to Change their Passwords

To allow users to change their passwords, this configuration makes the Change Password link appear on the Login page. By default, this option is false, and an administrator must define user passwords initially or reset a forgotten password. Enabling the password expiration option (described in the previous section) automatically enables the ability of users to change their passwords.

If your users are externally authenticated, for example with LDAP, do not enable this option.

Password Administration Option

Configuration File

.../WEB-INF/jasperserver-servlet.xml

Property

Value

Description

allowUserPasswordChange

false <default>
true

Set the value to true to enable the Change Password link. Any other value disables it.

Enforcing Password Patterns

If you allow or force users to change their passwords, you can enforce patterns for valid passwords. Such password patterns are used typically to ensure strong passwords, such as a minimum length and a mix of uppercase, lowercase, and numbers. The default pattern accepts any password of any length, including an empty password.

If your users are externally authenticated, for example with LDAP, do not enable this option.

Password Administration Option

Configuration File

.../WEB-INF/applicationContext.xml

Property

Bean

Description

allowedPasswordPattern

userAuthority
Service

A regular expression that matches valid passwords. The default pattern ^.*$ matches any password. Change the regular expression to enforce patterns such as:

Minimum and maximum password length
Both uppercase and lowercase characters
At least one number or special character

Be sure that your pattern allows whitespace and international characters if needed by your users.

When you enforce a password pattern, you should set the following message to inform users why their password was rejected. Be sure to set the message in all locales that you use.

Password Administration Option

Configuration File

.../WEB-INF/bundles/jsexceptions_messages[_locale].properties

Property

Description

exception.remote.weak.password

Message displayed to users when password pattern matching fails.

Version: 
Feedback
randomness