Authentication policies

An authentication policy is a set of rules that are applied to the authentication process and to the verification of authentication data by WebSphere Commerce. WebSphere Commerce supports account policies, other authentication-related policies, and session policies as described in the following sections.

Account policies

The following sections describe account policies available with WebSphere Commerce:

Account policy
The Account policy page of the WebSphere Commerce Administration Console allows you to set up an account policy. An account policy defines the account-related policies such as password and account lockout policies.
Once you have created an account policy, you can assign the policy to a user. Note that you cannot delete an account policy if it is in use (that is, a user is assigned the account policy).
For information on creating account policies, see Setting up an account policy.
Account lockout policy
The Account lockout policy page of the WebSphere Commerce Administration Console allows you to set up an account lockout policy for different user roles within WebSphere Commerce. The account lockout policy disables a user account if malicious actions are launched against that account in order to reduce the chances that the actions compromise the account.

The account lockout policy enforces the following items:

  • The account lockout threshold. This is the number of invalid logon attempts before the account is disabled.
  • Consecutive unsuccessful login delay. This is the time period for which the user is not allowed to login, after two failed attempts to login. The delay increments by the configured time delay value (for example, 10 seconds) with every consecutive login failure.

For information on creating account lockout policies, see Setting up an account lockout policy.

Password policy
The Password policy page of the WebSphere Commerce Administration Console allows you to control a user's password selection in order to define the characteristics of the password to ensure that it complies with the security policy for your site.

This feature defines attributes with which the password must comply. The password policy enforces the following conditions:

  • Whether the user ID and password can match.
  • Maximum occurrence of consecutive characters.
  • Maximum instances of any character.
  • Maximum lifetime of the passwords.
  • Minimum number of alphabetic characters.
  • Minimum number of numeric characters.
  • Minimum length of password.
  • Whether the user's previous password can be reused.

For information on creating password policies, see Setting up a password policy.

Other authentication-related policies

The following sections describe the other authentication-related policies available with WebSphere Commerce:

Password invalidation
Use the Password Invalidation node of the Configuration Manager to enable or disable the password invalidation feature. This feature, when enabled, requires WebSphere Commerce users to change their password if the user's password has expired. In that case, the user is redirected to a page where they are required to change their password. Users are not able to access any secure pages on the site until they have changed their password.

For information on using the Password Invalidation node, see Activating password invalidation.

Password protected commands
Use the Password Protected Commands node of the Configuration Manager to enable or disable the password protected commands feature. When this feature is enabled, WebSphere Commerce requires registered who are logged onto WebSphere Commerce to enter their password before continuing a request that runs designated WebSphere Commerce commands.

Caution: When you configure the password protected commands, some of the commands shown in the command selection list can be executed by generic or guest users. Configuring such commands as password protected will restrict generic and guest users from running them. Therefore, you should exercise caution when you con

Note: WebSphere Commerce will only display the commands that are designated as authenticated or set with the https flag in the URLREG table in the list of available commands.

For information on using the Password Protected Commands node, see Enabling password protected commands.

Session policies

In WebSphere Commerce, session policies are embodied in the login timeout policy.

With the login timeout policy, WebSphere Commerce will log off a user that is inactive for an extended period and request they log back on to the system using the Login Timeout node. This enhancement is invoked through the WebSphere Commerce Configuration Manager and is described in detail in Enabling login timeout.

Feedback