framework/security/config/security.properties
###############################################################################
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
###############################################################################
####
# OFBiz Security Settings
####
# -- define the password restrictions --
password.length.min=5
password.length.max=1024
### -- pattern based password OFBIZ-4958
security.login.password.pattern.enable=true
security.login.password.pattern=^.*(?=.{5,}).*$
# This is a mix to handle the localisation of the OOTB pattern which is only a fixed length
security.login.password.pattern.description=loginservices.password_must_be_least_characters_long
# -- For More restrictive pattern you can use the following, no localisation-
#security.login.password.pattern=^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$
#security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*.
# Only contains alphanumeric and the following special characters: !@#$%^&*
# Contains at least 1 of the special characters in the list above
# The required special character can appear anywhere in the string (for example: !abc, a!bc, abc!)
# minimum length 5 digit.
# HELP
# Start of group
# (
# (?=.*\d) # must contains one digit from 0-9
# (?=.*[a-z]) # must contains one lowercase characters
# (?=.*[A-Z]) # must contains one uppercase characters
# (?=.*[!@#$%^&*]) # must contains one special symbols in the list "!@#$%^&*"
# . # match anything with previous condition checking
# {5,20} # length at least 5 characters and maximum of 20
# {5,} # minimum length 5 chars and no linitation to max length.
# )
# End of group
# For further password patterns look at
# http://docs.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html#sum
# -- disable the account after this many logins --
max.failed.logins=3
# -- number of password change to be saved in UserLoginPasswordHistory.
# -- passwords saved in history of userLoginId will not be allowed to be reused.
# -- 0 to not save history at all
password.change.history.limit=0
# Security Policy : Force user to reset login password in fix number of days -
# To enable this functionality <password.change.history.limit> need to be a non zero number. And <user.auto.change.password.enable> need to set as true.
user.auto.change.password.enable=false
user.change.password.days=90
user.change.password.notification.days=5
# -- disable the account for this many minutes (if 0, then indefinite) --
login.disable.minutes=5
# -- disable global logout --
login.disable.global.logout=false
# -- store a record for each login attempt? --
store.login.history=true
store.login.history.on.service.auth=false
store.login.history.incorrect.password=true
# SCIPIO: IMPORTANT: 2020-12-02: Defines the mode the password is recovered:
# * password (default): legacy mode where password is send in plain text
# * verifyHash: no password send but instead a hash is passed to the email so it can be appended to the link used to resend the password
password.email.recovery.mode=verifyHash
# -- should we encrypt (SHA Hash) the password? --
password.encrypt=true
# -- set requirePasswordChange to true, after emailPassword --
password.email_password.require_password_change=true
# -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() --
# -- options may include: SHA, PBKDF2WithHmacSHA1, PBKDF2WithHmacSHA256, PBKDF2WithHmacSHA384, PBKDF2WithHmacSHA512 and etc
# SCIPIO: IMPORTANT: 2018-09-27: PBKDF2* require a long hash size, which may be greater than your current database field size limits.
# In the entity model, UserLogin.currentPassword and UserLoginPasswordHistory.currentPassword
# have been increased (in master, 2018-09-27) from "short-varchar" (VARCHAR(60)) to "long-varchar" (VARCHAR(255)) to support this;
# HOWEVER, pre-existing database columns are not automatically upgraded to the higher
# size by the entitymodel field type change alone. To enable higher hash size support in pre-existing databases,
# you may need to run ALTER TABLE SQL or an upgrade service. Visit https://forum.scipioerp.com/ for more information.
password.encrypt.hash.type=SHA
# -- if the type of hash to use for one-way encryption is PBKDF2WithHmacSHA1 or PBKDF2WithHmacSHA256 or PBKDF2WithHmacSHA384 or PBKDF2WithHmacSHA512
# -- the type of hash to use for one-way encryption needs iteration
password.encrypt.pbkdf2.iterations=10000
# -- this is helpful to recover old accounts or to be able to login at all sometimes --
# -- SHOULD GENERALLY NOT BE TRUE FOR PRODUCTION SITES, but is useful for interim periods when going to password encryption --
password.accept.encrypted.and.plain=false
# -- should we convert usernames and passwords to lowercase? (useful for case insensitive usernames and passwords) --
username.lowercase=false
password.lowercase=false
# -- Use LDAP for user authentication? --
security.ldap.enable=false
# -- Fail login if LDAP authentication fails? --
security.ldap.fail.login=false
# -- should we allow x509 certificate login
security.login.cert.allow=true
# -- HTTP header based ID (for integrations; uncomment to enable)
#security.login.http.header=REMOTE_USER
# -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment to enable)
# Use for external authentication solutions like CAS which overload the getRemoteUser method.
#security.login.http.servlet.remoteuserlogin.allow=true
# -- pattern for the userlogin id in CN section of certificate
security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$
# -- Hours after which EmailAdressVerification should expire
email_verification.expire.hours=48
# -- Name of the protect-view preprocessor method (this should not change, but in case...)
protect-view.preprocessor=java.org.ofbiz.webapp.control.ProtectViewWorker.checkProtectedView
# -- Name of the default error response view for protected views ("none:" will be rendered as a blank page, see RequestHandler.java)
#default.error.response.view=none:
default.error.response.view=view:viewBlocked
# If false, then no externalLoginKey parameters will be added to cross-webapp urls
security.login.externalLoginKey.enabled=true
# -- use Tomcat SingleSignOn valve
security.login.tomcat.sso=false
# SCIPIO: Configurable log level for the "Request login caused an error with the following message:" error (error, warning, info)
# NOTE: 2019-04-12: The default has been changed in Scipio from ERROR to WARNING, because it's part of normal behavior and floods error.log.
security.login.fail.log.level=warning
autoUserLogin.enabled=true
autoUserLogin.authToken.length=64
# SCIPIO: Auto-login auth token expire time, in seconds (default: 60*60*24*7)
autoUserLogin.authToken.expireTime=
autoUserLogin.cookie.name=${appName}.autoUserLoginId
# SCIPIO: Auto-login cookie name and max age, in seconds (default: 60*60*24*30)
autoUserLogin.cookie.maxAge=
# SCIPIO: Backend ext login user name cookie and max age (default: 60*60*24*365 = 31536000 sec)
security.userName.cookie.name=Scipio.Username
security.userName.cookie.maxAge=