OpenIDM: Implementing a custom password policy

OpenIDM 3.1 comes with several password policies enabled by default.  There are often times when you will need to implement additional policies or even modify or extend existing policies.  This is a quick guide that will walk you through the basics of implementing your own password policies.

Let’s talk a little bit about what’s there by default.

Policies are enabled in the openidm/conf/policy.json file.  This file is organized by resources (e.g. managed/user, internal/user, etc).  Each resource in turn has a properties section in which policies are defined for a specific attribute (e.g. userName, password, email, etc).

Here is an example:

The policies that are reference in policy.json are actually defined in:  openidm/bin/defaults/script/policy.js

policy.js looks something like this:

 “policies” : [

{   “policyId” : “required”,

“policyExec” : “required”,

“clientValidation”: true,

“policyRequirements” : [“REQUIRED”]

},

policyFunctions.required = function(fullObject, value, params, propName) {

if (value === undefined) {

return [ { “policyRequirement” : “REQUIRED” } ];

}

return [];

};

I wouldn’t make changes directly to policy.js as these changes could get overwritten by an updated from ForgeRock.

So, now to implement your own policies … let’s add in a policy that will enforce a maximum length for passwords.

  • First make a copy of the policy.js file, rename it and save to: /openidm/script/custom-name-policy.js
  • Remove all of the policies, from the new file, that you don’t need
  • Add in your new custom policy 

At the top of the file add in:

var policy1 = {
“policyId” : “maximum-length”,
“policyExec” : “maxLength”,
“clientValidation” : true,
“validateOnlyIfPresent” : true,
“policyRequirements” : [“MAX_LENGTH”]
}

addPolicy(policy1);

function maxLength(fullObject, value, params, property) {
var maxLength = params.maxLength;
var val = “”;

if (value != null) {
val = value;
}

if (val.length > max.length) {
return [ { “policyRequirement” : “ No more than “ + maxLength + characters”, “params” : {“maxLength”:maxLength} } ];
}
return []
};

A simple function that checks to make sure that the password length is not longer than the maxLength parameter.

Great, so how do we enable that (and where do we set that maxLength parameter?)

Let’s go back and modify the policy.json file.  Near the top of the file there is a parameter called “additionalFiles”.  Add the path and name of your custom file to that parameter.

“additionalFiles” : [
“script/custom-name-policy.js
],

Next,

find the password policy section (in the policy.json file).  Under the “managed/user” resource …

“name” : “password”,
“policies” : [
{
“policyId” : “notNull”
},
{
“policyId” : “atLeastXCapLetters”,
“params” : {
“numCaps” : 1
}
},

Now add in a reference to the new policy, that was created in the custom-name-policy.js file.  So policy.json would now look like this:
“name” : “password”,
“policies” : [
{
“policyId” : “notNull”
},
{
“policyId” : “atLeastXCapLetters”,
“params” : {
“numCaps” : 1
}
},
{
“policyId” : “
maximum-length”,
“params” : {
“maxLength” : 16
}
},

Save this file and restart OpenIDM.  Your new new policy should now be enabled and when creating a password for a managed/user object (i.e. user) you will get a policy validation error if the password is longer than 16 characters.

 

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top