Skip to first unread message
Song Younghwan
Aug 28, 2013, 1:49:35 PM8/28/13
to scmma...@googlegroups.com
I'm currently working to introduce SCM-Manager into my company, to use it officially.
The company network is completely isolated from the internet, so working with using maven has been far from an easy task.
The security dept. of my company request to modify SCM-Manager to align with the company security policy such as..
- A program should validate(enforce) a user account password as minimum 9 chars and least 1 char of alphabets, digits and special characters, and ...
- A program should block authentication(login) from illegal users who attempts to login several times and continuously failed.
So I first tried to create a plugin to do those, but cannot found a way to do in my limited knowledge.
(I was a stranger to Google Guice, ExtJS and JAX-RS. By reading source code of SCM-Manager, I learned many things new to me.)
At last, I directly modified scm-webapp java & javascript files to implements the requirements.
'No internet' was the worst thing. But not only that, my development and runtime environment was quite bad.
Windows XP - some unit tests of scm-manager failed so I skipped unit tests.
IBM AIX - no oracle JDK, no AES/CTR/PKCS5Padding, So I created another main class wrapping ScmServerDaemon to dynamically register Sun JCE provider to IBM JDK...
* Bouncy castle JCE provider has seemed to work first, but start from the second run, it has complained about pad block corruption (BadPaddingException), terminated the server.
Good experiences I think.
But it's impossible to modify all future releases of SCM-Manager.
I should leave this company when the last day of this year passed.
Currently no one in the company would courageously attempt to modify it.
The plugin system would be my best bet to minimize the risk.
Is it possible to create plugins for custom password validation or login-lock? How to do it?
Thank you. I like your great tool.
The company network is completely isolated from the internet, so working with using maven has been far from an easy task.
The security dept. of my company request to modify SCM-Manager to align with the company security policy such as..
- A program should validate(enforce) a user account password as minimum 9 chars and least 1 char of alphabets, digits and special characters, and ...
- A program should block authentication(login) from illegal users who attempts to login several times and continuously failed.
So I first tried to create a plugin to do those, but cannot found a way to do in my limited knowledge.
(I was a stranger to Google Guice, ExtJS and JAX-RS. By reading source code of SCM-Manager, I learned many things new to me.)
At last, I directly modified scm-webapp java & javascript files to implements the requirements.
'No internet' was the worst thing. But not only that, my development and runtime environment was quite bad.
Windows XP - some unit tests of scm-manager failed so I skipped unit tests.
IBM AIX - no oracle JDK, no AES/CTR/PKCS5Padding, So I created another main class wrapping ScmServerDaemon to dynamically register Sun JCE provider to IBM JDK...
* Bouncy castle JCE provider has seemed to work first, but start from the second run, it has complained about pad block corruption (BadPaddingException), terminated the server.
Good experiences I think.
But it's impossible to modify all future releases of SCM-Manager.
I should leave this company when the last day of this year passed.
Currently no one in the company would courageously attempt to modify it.
The plugin system would be my best bet to minimize the risk.
Is it possible to create plugins for custom password validation or login-lock? How to do it?
Thank you. I like your great tool.
Sebastian Sdorra
Aug 29, 2013, 9:53:21 AM8/29/13
to scmma...@googlegroups.com
Hi,
It is possible to create a plugin for password validation and login-lock, but it is very difficult to implement this with the current plugin mechanism. I think it is a better way to add this features as optional feature (configureable) feature to the official core of scm-manager, then you don't have to worry problems in feature releases. I will try to implement the password policy and the login-lock feature for the version 1.34 (currently the next version). I will try to make the features configureable and extendable by other plugins. It is possible that you send me a patch, with the work you have done for those features?
Sebastian
--
You received this message because you are subscribed to the Google Groups "scmmanager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scmmanager+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
SONG Younghwan
Aug 31, 2013, 1:26:48 AM8/31/13
to scmma...@googlegroups.com
Yes, I'll send a patch of the changes on Monday (UTC+09:00).
Thank you.
--
You received this message because you are subscribed to a topic in the Google Groups "scmmanager" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/scmmanager/RzgFGs0eO1I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to scmmanager+...@googlegroups.com.
Lukas Eichner
Sep 16, 2016, 8:21:35 AM9/16/16
to scmmanager
Hi
is there already a solution to change the password policies?
The default policies are too strictly and we want to lower them. (we want to use passwords with 4 characters)
Thank You!
Sebastian Sdorra
Oct 18, 2016, 3:33:45 PM10/18/16
to scmma...@googlegroups.com
Sorry, but their is no way at the moment. Please open a feature request at https://bitbucket.org/sdorra/scm-manager/issues
Sebastian
--
You received this message because you are subscribed to the Google Groups "scmmanager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scmmanager+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Lukas Eichner
Oct 18, 2016, 4:43:56 PM10/18/16
to scmmanager
We bypassed the policies using the api (if you change the pw through the rest api the policies dont get checked)
Like this we were able to create some certain users, that needed a very short password ^^ this is enough for us
Like this we were able to create some certain users, that needed a very short password ^^ this is enough for us
Reply all
Reply to author
Forward
0 new messages