framework/security/config/security.properties - ofbiz - Git at Google

 ###############################################################################
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 ###############################################################################
 ####
 # OFBiz Security Settings
 ####

 # -- define the default security context to be user
 security.context=default

 # -- define the password restrictions --
 password.length.min=5

 # -- disable the account after this many logins --
 max.failed.logins=3

 # -- number of password change to be saved in UserLoginPasswordHistory.
 # -- passwords saved in history of userLoginId will not be allowed to be reused.
 # -- 0 to not save history at all
 password.change.history.limit=0

 # -- disable the account for this many minutes (if 0, then indefinate) --
 login.disable.minutes=5

 # -- disable global logout --
 login.disable.global.logout=false

 # -- store a record for each login attempt? --
 store.login.history=true
 store.login.history.on.service.auth=false
 store.login.history.incorrect.password=true

 # -- should we encrypt (SHA Hash) the password? --
 password.encrypt=true

 # -- set requirePasswordChange to true, after emailPassword --
 password.email_password.require_password_change=true

 # -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() --
 # -- options may include: SHA, MD5, etc
 password.encrypt.hash.type=SHA

 # -- this is helpful to recover old accounts or to be able to login at all sometimes --
 # -- SHOULD GENERALLY NOT BE TRUE FOR PRODUCTION SITES, but is useful for interim periods when going to password encryption --
 password.accept.encrypted.and.plain=false

 # -- should we convert usernames and passwords to lowercase? (useful for case insensitive usernames and passwords) --
 username.lowercase=false
 password.lowercase=false

 # -- Use LDAP for user authentication? --
 security.ldap.enable=false

 # -- Fail login if LDAP authentication fails? --
 security.ldap.fail.login=false

 # -- should we allow x509 certificate login
 security.login.cert.allow=true

 # -- HTTP header based ID (for integrations; uncomment to enable)
 #security.login.http.header=REMOTE_USER

 # -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment to enable)
 # Use for external authentication solutions like CAS which overload the getRemoteUser method.
 #security.login.http.servlet.remoteuserlogin.allow=true

 # -- pattern for the userlogin id in CN section of certificate
 security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$

 # -- Hours after which EmailAdressVerification should expire
 email_verification.expire.hours=48

 # -- Name of the protect-view preprocessor method (this should not change, but in case...)
 protect-view.preprocessor=java.org.ofbiz.webapp.control.ProtectViewWorker.checkProtectedView

 # -- Name of the default error response view for protected views ("none:" will be rendered as a blank page, see RequestHandler.java)
 #default.error.response.view=none:
 default.error.response.view=view:viewBlocked
	###############################################################################
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	###############################################################################
	####
	# OFBiz Security Settings
	####

	# -- define the default security context to be user
	security.context=default

	# -- define the password restrictions --
	password.length.min=5

	# -- disable the account after this many logins --
	max.failed.logins=3

	# -- number of password change to be saved in UserLoginPasswordHistory.
	# -- passwords saved in history of userLoginId will not be allowed to be reused.
	# -- 0 to not save history at all
	password.change.history.limit=0

	# -- disable the account for this many minutes (if 0, then indefinate) --
	login.disable.minutes=5

	# -- disable global logout --
	login.disable.global.logout=false

	# -- store a record for each login attempt? --
	store.login.history=true
	store.login.history.on.service.auth=false
	store.login.history.incorrect.password=true

	# -- should we encrypt (SHA Hash) the password? --
	password.encrypt=true

	# -- set requirePasswordChange to true, after emailPassword --
	password.email_password.require_password_change=true

	# -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() --
	# -- options may include: SHA, MD5, etc
	password.encrypt.hash.type=SHA

	# -- this is helpful to recover old accounts or to be able to login at all sometimes --
	# -- SHOULD GENERALLY NOT BE TRUE FOR PRODUCTION SITES, but is useful for interim periods when going to password encryption --
	password.accept.encrypted.and.plain=false

	# -- should we convert usernames and passwords to lowercase? (useful for case insensitive usernames and passwords) --
	username.lowercase=false
	password.lowercase=false

	# -- Use LDAP for user authentication? --
	security.ldap.enable=false

	# -- Fail login if LDAP authentication fails? --
	security.ldap.fail.login=false

	# -- should we allow x509 certificate login
	security.login.cert.allow=true

	# -- HTTP header based ID (for integrations; uncomment to enable)
	#security.login.http.header=REMOTE_USER

	# -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment to enable)
	# Use for external authentication solutions like CAS which overload the getRemoteUser method.
	#security.login.http.servlet.remoteuserlogin.allow=true

	# -- pattern for the userlogin id in CN section of certificate
	security.login.cert.pattern=^(\\w\\s?\\w)\\W.$

	# -- Hours after which EmailAdressVerification should expire
	email_verification.expire.hours=48

	# -- Name of the protect-view preprocessor method (this should not change, but in case...)
	protect-view.preprocessor=java.org.ofbiz.webapp.control.ProtectViewWorker.checkProtectedView

	# -- Name of the default error response view for protected views ("none:" will be rendered as a blank page, see RequestHandler.java)
	#default.error.response.view=none:
	default.error.response.view=view:viewBlocked