Jump to content
  • This documentation is an older version of JasperReports Server Security Guide. View the latest documentation.

    The user password options determine whether passwords can be remembered by the browser, whether users can change their own passwords, and whether password changes are mandatory or optional.

    note-icon-ns_28x28.png.9606317c6c81d7d83eb60902edef46a8.png

    By default, passwords are stored in an encrypted format in the server’s private database. For information about changing the way passwords are encrypted, see Encrypting User Passwords

    Configuring Password Memory

    As a general security policy, sensitive passwords should not be stored in browsers. Many browsers have a “remember passwords” feature that stores a user's passwords. Most browsers don't protect passwords with a master password by default. JasperReports Server can send the property autocomplete="off" to indicate that its users’ passwords should not be stored or filled in automatically. This helps to ensure that your users don't store their passwords. Actual behavior depends on the browser settings and how the browser responds to the autocomplete="off" property.

    Login encryption described in Encrypting User Session Login is not compatible with password memory in the browser. Independent of the autocomplete setting, the JavaScript that implements the login encryption clears the password field before submitting the page. As a result, most browsers will not prompt to remember the password when login encryption is enabled, even if the user has password memory enabled in the browser.

    warning-icon-ns_28x28.png.bbac5f5a6c0b7263e15effe122601613.png

    When autoCompleteLoginForm is true, as in the default installation, you should ensure that all of your users have a master password in their browser.

    Password Memory in the Browser

    Configuration File

    .../WEB-INF/jasperserver-servlet.xml

    Property

    Value

    Description

    autoCompleteLoginForm

    true <default>
    false

    When false, the server sets autocomplete="off" on the login page and browsers will not fill in or prompt to save Jaspersoft passwords. When true, the autocomplete property is not sent at all, and browser behavior depends on user settings.

    Enabling Password Expiration

    If your security policies require users to change their passwords at regular intervals, you can enable password expiration. This way JasperReports Server prompts users to change their passwords at your set interval. Users with expired passwords can't log in without changing their passwords. This option is disabled by default, meaning passwords don’t expire and users are never prompted.

    When you enable this option, the server automatically enables the Change Password link on the Login page, even if allowUserPasswordChange is set to false.

    warning-icon-ns_28x28.png.c509f481a7639970a1753bf000b94bf0.png

    If your users are externally authenticated, for example with LDAP, do not enable this option.

    Password Administration Option

    Configuration File

    .../WEB-INF/jasperserver-servlet.xml (controls the Login page)

    .../WEB-INF/applicationContext-security-web.xml (controls web services)

    Property

    Value

    Description

    passwordExpirationInDays

    0 <default>
    <any other value>

    Set the value to any positive, non-zero value to specify the number of days after which a password expires.

    Allowing Users to Change their Passwords

    This configuration enables the Change Password link on the Login page. By default, this option is turned off, and an administrator must define user passwords initially or reset a forgotten password. Enabling the password expiration option (described in the previous section) automatically enables users to change their passwords.

    warning-icon-ns_28x28.png.49b9c20bd8fb7c7be2c130c3f436f358.png

    If your users are externally authenticated, for example with LDAP, do not enable this option.

    Password Administration Option

    Configuration File

    .../WEB-INF/jasperserver-servlet.xml

    Property

    Value

    Description

    allowUserPasswordChange

    false <default>
    true

    Set the value to true to enable the Change Password link. Any other value disables it.

    Enforcing Password Patterns

    If you allow or force users to change their passwords, you can enforce patterns for valid strong passwords, by requiring a minimum length and a mix of uppercase, lowercase, and numbers. The default pattern accepts any password of any length, including an empty password.

    warning-icon-ns_28x28.png.c2f59a2f9f4c3ce241658edb056fca4e.png

    If your users are externally authenticated, for example with LDAP, do not enable this option.

    Password Administration Option

    Configuration File

    .../WEB-INF/applicationContext.xml

    Property

    Bean

    Description

    allowedPasswordPattern

    userAuthority
    Service

    A regular expression that matches valid passwords. The default pattern ^.*$ matches any password. Change the regular expression to enforce patterns such as:

    Minimum and maximum password length
    Both uppercase and lowercase characters
    At least one number or special character

    Be sure that your pattern allows whitespace and international characters if needed by your users.

    When you enforce a password pattern, you should set the following message to inform users why their password was rejected. Be sure to set the message in all your locales.

    Password Administration Option

    Configuration File

    .../WEB-INF/bundles/jsexceptions_messages[_locale].properties

    Property

    Description

    exception.remote.weak.password

    Message displayed to users when password pattern matching fails.


    User Feedback

    Recommended Comments

    There are no comments to display.



    Guest
    This is now closed for further comments

×
×
  • Create New...