码迷,mamicode.com
首页 > 其他好文 > 详细

EBS Custom Password Rules

时间:2016-01-05 15:05:14      阅读:1584      评论:0      收藏:0      [点我收藏+]

标签:

https://blogs.oracle.com/manojmadhusoodanan/entry/custom_password_rules

Custom Password Rules

By Manoj Madhusoodanan-Oracle on Apr 30, 2012

Every organization has certain policies in the login credentials.Oracle Applications has a flexibility to implement custom password rules based on customer requirement.Here i will demonstrate the usage with a specific example.

My customer XXCUST wants to implement following rules in the credentials.

1) Password should not be same as user name.
2) Password should not contain the word XXCUST
3) Password should not contain two consecutive characters (eg: 112ora,Password)
4) Password should be minimum of 7 characters
5) Password should contain atleast 3 of the following 4 cases
    a) Upper case letters (e.g., A, B, C,.....Z)
    b) Lower case letters (e.g., a, b, c,....z
    c) Numbers (e.g., 1, 1, 2,....9)
    d) Special characters (e.g., ?, !, %, $, #, etc.)

Implementation Steps

1) Create a custom java file in the directory oracle.apps.fnd.security under $JAVA_TOP.This class should implement standard class PasswordValidation.For Eg: XXCustPasswordRules

2) Generate XXCustPasswordRules.class in oracle.apps.fnd.security directory

3) Run the following command to upload XXCustPasswordRules.class into database

loadjava -user apps/apps -verbose -resolve -force XXCustPasswordRules.java

4) Verify weather the java class has loaded successfully using below query.

SELECT dbms_java.longname(object_name), status 
FROM user_objects
WHERE object_type = ‘JAVA CLASS‘ 
AND dbms_java.longname(object_name) LIKE ‘%XXCustPasswordRules‘;

5) Update the profile Signon Password Custom with oracle.apps.fnd.security.XXCustPasswordRules in Site level

技术分享

 

6) Make sure profile Signon Password Hard To Guess value is NULL

7) Update the profile Signon Password Length value to 7 in site level

Result

Given new password as XXCUST123

技术分享

Given new password as Cust

技术分享

 

Given new password as Password

技术分享

Given new password as welcome123

技术分享

 

Given new password as Welcome123

技术分享

 Finally password has successfully updated.

 Following is the sample XXCustPasswordRules.java file.

package oracle.apps.fnd.security;

import java.util.regex.Matcher;
import java.util.regex.Pattern;

import oracle.apps.fnd.common.VersionInfo;

// Referenced classes of package oracle.apps.fnd.security:
// PasswordValidation

public class XXCustPasswordRules
implements PasswordValidation
{

    public String getErrorStackApplicationName()
    {
        return "XXCUST";
    }

    public String getErrorStackMessageName()
    {
        return m_errorStackMessageName;
    }

    public boolean validate(String username, String password)
    {
        /* Validates username = password */
        if(validateNoUsername(username, password))
        {
            m_errorStackMessageName = "XXCUST_USR_PWD_SAME";
            return false;
        }

        /* Check for repeated characters */
        if(!validateNoRepeats(password.toLowerCase()))
        {
            m_errorStackMessageName = "XXCUST_REPEAT_CHAR";
            return false;
        }
        /* Checks password contains XXCUST  */
        if (validatePasswordNotContainsPattern(password,"XXCUST"))
        {
            m_errorStackMessageName = "XXCUST_INVALID_WORD";
            return false;
        }
        /* Checks following rules
        1) Contains A-Z
        2) Contains a-z
        3) Contains 0-9
        4) Contains ?!%$#

        5) Should satisfy above 3 rules */

        if (!validatePassword(password))
        {
            m_errorStackMessageName = "XXCUST_PWD_RULE_CLASSES";
        return false;
        }

        return true;
    }

    /* Checks for a pattern match */
    private boolean hasPattern(String p_password,String p_pattern)
    {
        Pattern p = Pattern.compile(p_pattern);
        Matcher m = p.matcher(p_password);
        if (m.find())
            return true;
        else
            return false;
    }

    /* Implements following rules
    1) Contains A-Z
    2) Contains a-z
    3) Contains 0-9
    4) Contains ?!%$#
    */

    private boolean validatePassword(String password)
    {
        int count=0;
        if (hasPattern(password,"[A-Z]"))
            count++;
        if (hasPattern(password,"[a-z]"))
            count++;
        if (hasPattern(password,"[0-9]"))
            count++;
        if (hasPattern(password,"[?!%$#]"))
            count++;
        if (count<3)
            return false;
        else
            return true;
    }

    /* Validates password does not contain pattern  */
    private boolean validatePasswordNotContainsPattern(String password,String pattern)
    {
        if (password.toLowerCase().contains(pattern.toLowerCase()))
            return true;
        else
            return false;
    }


    /* Validate username = password */
    private boolean validateNoUsername(String p_username, String p_password)
    {
         if (p_username.toLowerCase().equals(p_password.toLowerCase()))
             return true;
         else
             return false;
    }

    boolean validateNoRepeats(String p_password)
    {
        for(int i = 1; i < p_password.length(); i++)
            if(p_password.charAt(i) == p_password.charAt(i - 1))
                return false;

        return true;
    }

    private String m_errorStackMessageName;

}

XXCUST_USR_PWD_SAME,
XXCUST_REPEAT_CHAR,
XXCUST_INVALID_WORD,
XXCUST_PWD_RULE_CLASSES are foundation messages of error category.

Note: Inorder to reflect any modification in the messages kindly update the message file using FNDMDGEN andbounce the Apatche server. 

 

 

 

Oracle EBS password security measure

 
-->
Password Related Profile Options in APPS:
 
 
 
 
 
 
 
-->
 
 
Signon Password Case :-
This profile option is used to force case sensitivity in user passwords. This option allows for tighter security, as well as for better integration with Oracle Internet Directory, because it also allows case sensitive passwords. Setting this profile on an existing system has no affect on existing passwords already stored in the system. The case sensitivity will start to take affect the next time a password value is changed – it is then that the rule is applied.

Signon Password Custom:-

This profile option is used if you want to define your own password scheme (validated by custom Java code) in a custom Java class. This would be used if you have a more advanced and complex password value requirement that is not supported by the site profiles described in this paper. For example, your password policy could state that the password value must have a numeric value, an uppercase value, and a special character. If this were the case, you would not be able to enforce that password policy with the existing Oracle E-Business Suite profiles, so you would need to create a custom password java class and set the profile value to that class name for Signon Password Custom.

Signon Password Failure Limit:-
By default, there is no account lockout after a failed number of login attempts. This is just asking to be hacked! This is recommended setting a failure limit using the Signon Password Failure Limit profile option. Prior to release 11.5.10,  you needed to implement an alert (periodic), custom workflow or report to notify security administrators; now the system ‘locks’ the account. Both the FND_UNSUCCESSFUL_LOGINS and ICX.ICX_FAILURES tables capture failed login attempts from the Personal Home Page (Self Service/Web Interface), but failed Forms sessions are only logged to FND_UNSUCCESSFUL_LOGINS.
Signon Password Hard to Guess - 

The Signon Password Hard to Guess profile option sets internal rules for verifying passwords to ensure that they will be "hard to guess." Oracle defines a password as hard-to-guess if it follows these rules:
This profile option is used to force case sensitivity in user passwords. This option allows for tighter security, as well as for better integration with Oracle Internet Directory, because it also allows case sensitive passwords. Setting this profile on an existing system has no affect on existing passwords already stored in the system. The case sensitivity will start to take affect the next time a password value is changed – it is then that the rule is applied.
Signon Password Custom:-

This profile option is used if you want to define your own password scheme (validated by custom Java code) in a custom Java class. This would be used if you have a more advanced and complex password value requirement that is not supported by the site profiles described in this paper. For example, your password policy could state that the password value must have a numeric value, an uppercase value, and a special character. If this were the case, you would not be able to enforce that password policy with the existing Oracle E-Business Suite profiles, so you would need to create a custom password java class and set the profile value to that class name for Signon Password Custom.

Signon Password Failure Limit:-
By default, there is no account lockout after a failed number of login attempts. This is just asking to be hacked! This is recommended setting a failure limit using the Signon Password Failure Limit profile option. Prior to release 11.5.10,  you needed to implement an alert (periodic), custom workflow or report to notify security administrators; now the system ‘locks’ the account. Both the FND_UNSUCCESSFUL_LOGINS and ICX.ICX_FAILURES tables capture failed login attempts from the Personal Home Page (Self Service/Web Interface), but failed Forms sessions are only logged to FND_UNSUCCESSFUL_LOGINS.
Signon Password Hard to Guess - 

The Signon Password Hard to Guess profile option sets internal rules for verifying passwords to ensure that they will be "hard to guess." Oracle defines a password as hard-to-guess if it follows these rules:
Signon Password Custom:-
This profile option is used if you want to define your own password scheme (validated by custom Java code) in a custom Java class. This would be used if you have a more advanced and complex password value requirement that is not supported by the site profiles described in this paper. For example, your password policy could state that the password value must have a numeric value, an uppercase value, and a special character. If this were the case, you would not be able to enforce that password policy with the existing Oracle E-Business Suite profiles, so you would need to create a custom password java class and set the profile value to that class name for Signon Password Custom.

Signon Password Failure Limit:-
By default, there is no account lockout after a failed number of login attempts. This is just asking to be hacked! This is recommended setting a failure limit using the Signon Password Failure Limit profile option. Prior to release 11.5.10,  you needed to implement an alert (periodic), custom workflow or report to notify security administrators; now the system ‘locks’ the account. Both the FND_UNSUCCESSFUL_LOGINS and ICX.ICX_FAILURES tables capture failed login attempts from the Personal Home Page (Self Service/Web Interface), but failed Forms sessions are only logged to FND_UNSUCCESSFUL_LOGINS.
Signon Password Hard to Guess - 

The Signon Password Hard to Guess profile option sets internal rules for verifying passwords to ensure that they will be "hard to guess." Oracle defines a password as hard-to-guess if it follows these rules:
This profile option is used if you want to define your own password scheme (validated by custom Java code) in a custom Java class. This would be used if you have a more advanced and complex password value requirement that is not supported by the site profiles described in this paper. For example, your password policy could state that the password value must have a numeric value, an uppercase value, and a special character. If this were the case, you would not be able to enforce that password policy with the existing Oracle E-Business Suite profiles, so you would need to create a custom password java class and set the profile value to that class name for Signon Password Custom.
Signon Password Failure Limit:-
By default, there is no account lockout after a failed number of login attempts. This is just asking to be hacked! This is recommended setting a failure limit using the Signon Password Failure Limit profile option. Prior to release 11.5.10,  you needed to implement an alert (periodic), custom workflow or report to notify security administrators; now the system ‘locks’ the account. Both the FND_UNSUCCESSFUL_LOGINS and ICX.ICX_FAILURES tables capture failed login attempts from the Personal Home Page (Self Service/Web Interface), but failed Forms sessions are only logged to FND_UNSUCCESSFUL_LOGINS.
Signon Password Hard to Guess - 

The Signon Password Hard to Guess profile option sets internal rules for verifying passwords to ensure that they will be "hard to guess." Oracle defines a password as hard-to-guess if it follows these rules:
Signon Password Failure Limit:-
By default, there is no account lockout after a failed number of login attempts. This is just asking to be hacked! This is recommended setting a failure limit using the Signon Password Failure Limit profile option. Prior to release 11.5.10,  you needed to implement an alert (periodic), custom workflow or report to notify security administrators; now the system ‘locks’ the account. Both the FND_UNSUCCESSFUL_LOGINS and ICX.ICX_FAILURES tables capture failed login attempts from the Personal Home Page (Self Service/Web Interface), but failed Forms sessions are only logged to FND_UNSUCCESSFUL_LOGINS.
Signon Password Hard to Guess - 
The Signon Password Hard to Guess profile option sets internal rules for verifying passwords to ensure that they will be "hard to guess." Oracle defines a password as hard-to-guess if it follows these rules:
The Signon Password Hard to Guess profile option sets internal rules for verifying passwords to ensure that they will be "hard to guess." Oracle defines a password as hard-to-guess if it follows these rules:
            o The password does not contain repeating characters.
            o The password does not contain the username.
Signon Password Length:-
Signon Password Length sets the minimum length of an Oracle Applications password value. The default length is 5 and I recommended 8.
Signon Password Length:-
Signon Password Length sets the minimum length of an Oracle Applications password value. The default length is 5 and I recommended 8.
Signon Password No Reuse :- 
This profile option is set to the number of days that must pass before a user is allowed to reuse a password.
This profile option is set to the number of days that must pass before a user is allowed to reuse a password.
To change APPS/APPLSYS password, we need to give mode as SYSTEM

 
 
 
 
 
 
 
 
 
            o The password contains at least one letter and at least one number
 
 
Password change for APPS / GL / AR :- 
 
Eg: FNDCPASS apps/<OLDPWD> 0 Y system/PWD SYSTEM APPLSYS PWD
 To change product schema passwords, i.e., GL, AP, AR, etc., we need to give mode as ORACLE
Eg: FNDCPASS apps/apps 0 Y system/manager ORACLE GL GL1
 The FNDCPASS has a new mode, "ALLORACLE", in which all Oracle Application schema passwords can be changed in one call. Apply the patch (Patch No# 4745998) to have this option, if not available currently with your Apps.
Eg: FNDCPASS apps/apps 0 Y system/manager ALLORACLE WELCOME

EBS Custom Password Rules

标签:

原文地址:http://www.cnblogs.com/xiaoL/p/5102106.html
(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
分享档案
更多>
2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)
周排行
mamicode.com排行更多图片
更多
友情链接
兰亭集智   国之画   百度统计   站长统计   阿里云   chrome插件   新版天听网
关于我们 - 联系我们 - 留言反馈
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!