Mar 10th, 2009, 07:06 AM
Assistance with first steps handling password policy
I apologize if this is an oft-asked question, but I have not been able to find a suitable response in the forum.
I've got a very simple demo setup for spring security in my web app, involving the use of in-memory user/password credentials.
I now need to add some more controls to the authentication process, specifically:
- Ability to integrate with 3rd party LDAP server for credentials storage
- Ability to enforce password strength policies (e.g. length, alphanumeric characters)
- forced password expiry after a certain configured time period
- password lockout after a number of failed attempts
At this point being a relative newbie to Spring Security, and a definite newbie to LDAP, I'm not sure what the best way to proceed with design choices are here, or what the criteria might be for choosing the best approach e.g.
- Push as many or all of the additional features into the LDAP authentication process (presumably by subclassing various things)
- Use LDAP for credentials storage only, and implement the other features in a bespoke fashion by using a parallel JDBC-based persistant store that contains the additional attributes (e.g. date of password expiry, number of consecutive failed logins).
Any guidance would be most gratefully accepted; any sample code even more so.