Authentication policies

An authentication policy is a set of rules that are applied to the authentication process and to the verification of authentication data by WebSphere Commerce. WebSphere Commerce supports account policies and other authentication-related policies, as described in the following subsections.

 

Account policies

An account policy defines the account-related policies such as password and account lockout policies. For information about creating account policies, see Setting up an account policy .

Account lockout policy

An account lockout policy disables a user account if malicious actions are launched against that account in order to reduce the chances that the actions compromise the account. An account lockout policy enforces the following items:

  • The account lockout threshold. This is the number of invalid logon attempts before the account is disabled.

  • Consecutive unsuccessful login delay. This is the time period for which the user is not allowed to login, after two failed attempts to login. The delay increments by the configured time delay value (for example, 10 seconds) with every consecutive login failure.

For information about creating account lockout policies, see Set up an account lockout policy.

Password policy

A password policy defines characteristics with which user passwords must comply. A password policy enforces the following conditions:

  • Whether the user ID and password can match.

  • Maximum occurrence of consecutive characters.

  • Maximum instances of any character.

  • Maximum lifetime of the passwords.

  • Minimum number of alphabetic characters.

  • Minimum number of numeric characters.

  • Minimum length of password.

  • Whether the user's previous password can be reused.

  • Number of previous passwords to check against when the user selects a new password.

For information about creating password policies, see Setting up a password policy.


 

Other authentication-related policies

The following describe the other authentication-related policies available with WebSphere Commerce:

Password invalidation

When enabled, password invalidation requires WebSphere Commerce users to change their password if the user's password has expired. In that case, the user is redirected to a page where they are required to change their password. Users are not able to access any secure pages on the site until they have changed their password.

For information about enabling password invalidation, see Enabling password invalidation.

Password protected commands

When the password protected commands feature is enabled, WebSphere Commerce requires registered users who are logged onto WebSphere Commerce to enter their password before continuing a request that runs designated WebSphere Commerce commands.

Caution: When you configure the password protected commands, some of the commands shown in the command selection list can be executed by generic or guest users. Configuring such commands as password protected will restrict generic and guest users from running them.

For information about enabling the password protected commands feature, see Enabling password protected commands.

Login timeout

With the login timeout policy, WebSphere Commerce will log off a user that is inactive for an extended period and request they log back on to the system using the Login Timeout node. This enhancement is invoked through the WebSphere Commerce Configuration Manager and is described in detail in Enabling login timeout.

 

Related Concepts


WebSphere Commerce security model