001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 * 019 */ 020 021package org.apache.directory.server.core.api.authn.ppolicy; 022 023import org.apache.directory.api.ldap.model.entry.Entry; 024 025 026/** 027 * The default password validator. 028 * 029 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> 030 */ 031public class DefaultPasswordValidator implements PasswordValidator 032{ 033 034 /** the default validator's instance */ 035 public static final DefaultPasswordValidator INSTANCE = new DefaultPasswordValidator(); 036 037 038 /** 039 * Creates a new instance of DefaultPasswordValidator. 040 */ 041 public DefaultPasswordValidator() 042 { 043 } 044 045 046 /** 047 * {@inheritDoc} 048 */ 049 public void validate( String password, Entry entry ) throws PasswordPolicyException 050 { 051 checkUsernameSubstring( password, entry ); 052 //TODO add more checks 053 } 054 055 056 /** 057 * The password does not contain three letter (or more) tokens from the user's account name. 058 * 059 * If the account name is less than three characters long, this check is not performed 060 * because the rate at which passwords would be rejected is too high. For each token that is 061 * three or more characters long, that token is searched for in the password; if it is present, 062 * the password change is rejected. For example, the name "First M. Last" would be split into 063 * three tokens: "First", "M", and "Last". Because the second token is only one character long, 064 * it would be ignored. Therefore, this user could not have a password that included either 065 * "first" or "last" as a substring anywhere in the password. All of these checks are 066 * case-insensitive. 067 */ 068 private void checkUsernameSubstring( String password, Entry entry ) throws PasswordPolicyException 069 { 070 String username = entry.getDn().getRdn().getValue(); 071 072 if ( username == null || username.trim().length() == 0 ) 073 { 074 return; 075 } 076 077 String[] tokens = username.split( "[^a-zA-Z]" ); 078 079 for ( String token : tokens ) 080 { 081 if ( ( token == null ) || ( token.length() < 4 ) ) 082 { 083 // Two short : continue with the next token 084 continue; 085 } 086 087 if ( password.matches( "(?i).*" + token + ".*" ) ) 088 { 089 throw new PasswordPolicyException( "Password shouldn't contain parts of the username", 5 ); // 5 == PasswordPolicyErrorEnum.INSUFFICIENT_PASSWORD_QUALITY 090 } 091 } 092 } 093}