PasswordPolicy

ab0b5959 · MaxKey单点登录官方 · 9946e1a2 · ab0b5959 · ab0b5959 · ab0b5959
10 changed file
--- a/maxkey-core/src/main/java/org/maxkey/domain/PasswordPolicy.java
+++ b/maxkey-core/src/main/java/org/maxkey/domain/PasswordPolicy.java
@@ -121,6 +121,7 @@ public class PasswordPolicy extends JpaBaseDomain implements java.io.Serializabl
    @Column
    private int occurances;
    
+    private int randomPasswordLength;

    /**
     * @return the minLength
@@ -328,6 +329,14 @@ public class PasswordPolicy extends JpaBaseDomain implements java.io.Serializabl
    public void setOccurances(int occurances) {
        this.occurances = occurances;
    }
+    
+    public int getRandomPasswordLength() {
+        return randomPasswordLength;
+    }
+
+    public void setRandomPasswordLength(int randomPasswordLength) {
+        this.randomPasswordLength = randomPasswordLength;
+    }

    public void check(String username, String newPassword, String oldPassword) throws PasswordPolicyException {
        if ((1 == this.getUsername()) && newPassword.toLowerCase().contains(username.toLowerCase())) {

--- a/maxkey-core/src/main/java/org/maxkey/persistence/db/PasswordPolicyValidator.java
+++ b/maxkey-core/src/main/java/org/maxkey/persistence/db/PasswordPolicyValidator.java
@@ -25,6 +25,8 @@ import org.passay.CharacterOccurrencesRule;
 import org.passay.CharacterRule;
 import org.passay.DictionaryRule;
 import org.passay.EnglishCharacterData;
+import org.passay.EnglishSequenceData;
+import org.passay.IllegalSequenceRule;
 import org.passay.LengthRule;
 import org.passay.PasswordData;
 import org.passay.PasswordValidator;
@@ -92,6 +94,16 @@ public class PasswordPolicyValidator {
            _logger.debug("query PasswordPolicy : " + passwordPolicy);
            passwordPolicyStore.put(PASSWORD_POLICY_KEY,passwordPolicy);
            
+            //init Password Policy
+            passwordPolicy.setRandomPasswordLength(
+                Math.round(
+                        (
+                                passwordPolicy.getMaxLength() + 
+                                passwordPolicy.getMinLength()
+                        )/2
+                   )
+            );
+            
            passwordPolicyRuleList = new ArrayList<Rule>();
            passwordPolicyRuleList.add(new WhitespaceRule());
            passwordPolicyRuleList.add(new LengthRule(passwordPolicy.getMinLength(), passwordPolicy.getMaxLength()));
@@ -120,12 +132,23 @@ public class PasswordPolicyValidator {
                passwordPolicyRuleList.add(new CharacterOccurrencesRule(passwordPolicy.getOccurances()));
            }
            
+            if(passwordPolicy.getAlphabetical()>0) {
+                passwordPolicyRuleList.add(new IllegalSequenceRule(EnglishSequenceData.Alphabetical, 4, false));
+            }
+            
+            if(passwordPolicy.getNumerical()>0) {
+                passwordPolicyRuleList.add(new IllegalSequenceRule(EnglishSequenceData.Numerical, 4, false));
+            }
+            
+            if(passwordPolicy.getQwerty()>0) {
+                passwordPolicyRuleList.add(new IllegalSequenceRule(EnglishSequenceData.USQwerty, 4, false));
+            }
+                        
            if(passwordPolicy.getDictionary()>0 ) {
                try {
                    ClassPathResource dictFile= 
                            new ClassPathResource(
                                    ConstantsProperties.classPathResource(topWeakPasswordPropertySource));
-                    
                    Dictionary dictionary =new DictionaryBuilder().addReader(new InputStreamReader(dictFile.getInputStream())).build();
                    passwordPolicyRuleList.add(new DictionaryRule(dictionary));
                }catch(Exception e) {
@@ -143,6 +166,7 @@ public class PasswordPolicyValidator {
     */
   public boolean validator(UserInfo userInfo) {
       
+       
       String password = userInfo.getPassword();
       String username = userInfo.getUsername();
       
@@ -159,15 +183,18 @@ public class PasswordPolicyValidator {
       RuleResult result = validator.validate(new PasswordData(username,password));
       
       if (result.isValid()) {
-           System.out.println("Password is valid");
-         } else {
-           System.out.println("Invalid password:");
+           _logger.debug("Password is valid");
+           return true;
+       } else {
+           _logger.debug("Invalid password:");
+           String passwordPolicyMessage = "";
           for (String msg : validator.getMessages(result)) {
-             System.out.println(msg);
+               passwordPolicyMessage = passwordPolicyMessage + msg + "<br>";
+               _logger.debug("Rule Message " + msg);
           }
-         }
-       
-       return true;
+           WebContext.setAttribute(PasswordPolicyValidator.class.getName(), passwordPolicyMessage);
+           return false;
+       }
   }
   
   
@@ -329,13 +356,8 @@ public class PasswordPolicyValidator {
   public String generateRandomPassword() {
       getPasswordPolicy();
       PasswordGen passwordGen = new PasswordGen(
-               Math.round(
-                       (
-                               passwordPolicy.getMaxLength() + 
-                               passwordPolicy.getMinLength()
-                       )/2
-                  )
-               );
+               passwordPolicy.getRandomPasswordLength()
+       );
       
       return passwordGen.gen(
               passwordPolicy.getLowerCase(), 

--- a/maxkey-core/src/main/resources/messages/passwordpolicy_message.properties
+++ b/maxkey-core/src/main/resources/messages/passwordpolicy_message.properties
 #password
-PasswordPolicy.HISTORY_VIOLATION=\u5BC6\u7801\u5339\u914D\u4E86 {0}\u5386\u53F2\u5BC6\u7801.
-PasswordPolicy.ILLEGAL_WORD=\u5BC6\u7801\u5305\u542B\u5728\u5BC6\u7801\u5B57\u5178'{0}'.
-PasswordPolicy.ILLEGAL_WORD_REVERSED=\u5BC6\u7801\u5305\u542B\u5728\u5BC6\u7801\u5B57\u5178\u5012\u5E8F'{0}'.
-PasswordPolicy.ILLEGAL_DIGEST_WORD=\u5BC6\u7801\u5305\u542B\u5728\u5B57\u5178\u4E2D.
-PasswordPolicy.ILLEGAL_DIGEST_WORD_REVERSED=\u5BC6\u7801\u5305\u542B\u5728\u5B57\u5178\u5012\u5E8F\u4E2D.
-PasswordPolicy.ILLEGAL_MATCH=\u5BC6\u7801\u5339\u914D\u975E\u6CD5\u89C4\u5219 '{0}'.
-PasswordPolicy.ALLOWED_MATCH=\u5BC6\u7801\u5FC5\u987B\u5339\u914D\u89C4\u5219 '{0}'.
-PasswordPolicy.ILLEGAL_CHAR=\u5BC6\u7801 {1} \u5305\u542B\u975E\u6CD5\u5B57\u7B26 '{0}'.
-PasswordPolicy.ALLOWED_CHAR=\u5BC6\u7801 {1} \u975E\u6CD5\u5B57\u7B26 '{0}'.
-PasswordPolicy.ILLEGAL_QWERTY_SEQUENCE=\u5BC6\u7801\u5305\u542B\u952E\u76D8\u5E8F\u5217 '{0}'.
-PasswordPolicy.ILLEGAL_ALPHABETICAL_SEQUENCE=\u5BC6\u7801\u5305\u542B\u5B57\u7B26\u5E8F\u5217'{0}'.
-PasswordPolicy.ILLEGAL_NUMERICAL_SEQUENCE=\u5BC6\u7801\u5305\u542B\u6570\u5B57\u5E8F\u5217 '{0}'.
-PasswordPolicy.ILLEGAL_USERNAME=\u5BC6\u7801\u4E0D\u80FD\u5305\u542B\u767B\u5F55\u540D {0}.
-PasswordPolicy.ILLEGAL_USERNAME_REVERSED=\u5BC6\u7801 {1} \u5305\u542B\u767B\u5F55\u540D {0} \u5012\u5E8F.
-PasswordPolicy.ILLEGAL_WHITESPACE=\u5BC6\u7801 {1} \u5305\u542B\u7A7A\u683C.
-PasswordPolicy.ILLEGAL_NUMBER_RANGE=\u5BC6\u7801 {1} \u6570\u5B57 '{0}'.
-PasswordPolicy.ILLEGAL_REPEATED_CHARS=\u5BC6\u7801 {2} \u5E8F\u5217  {0} \u6216\u8005\u591A\u4E2A\u5B57\u7B26, \u4F46 {1} \u8BB8:{3}\u6B21.
-PasswordPolicy.INSUFFICIENT_UPPERCASE=\u5BC6\u7801\u81F3\u5C11\u5305\u542B {0} \u4F4D\u5927\u5199\u5B57\u6BCD.
-PasswordPolicy.INSUFFICIENT_LOWERCASE=\u5BC6\u7801\u81F3\u5C11\u5305\u542B {0} \u4F4D\u5C0F\u5199\u5B57\u6BCD.
-PasswordPolicy.INSUFFICIENT_ALPHABETICAL=\u5BC6\u7801\u4FDD\u62A4\u5B57\u7B26\u5E8F\u5217{0}.
-PasswordPolicy.INSUFFICIENT_DIGIT=\u5BC6\u7801\u81F3\u5C11\u5305\u542B {0} \u4F4D\u6570\u5B57\u5B57\u6BCD.
-PasswordPolicy.INSUFFICIENT_SPECIAL=\u5BC6\u7801\u81F3\u5C11\u5305\u542B {0} \u4F4D\u7279\u6B8A\u5B57\u6BCD.
-PasswordPolicy.INSUFFICIENT_CHARACTERISTICS=\u5BC6\u7801\u5339\u914D {0} of {2}\u5B57\u7B26\u89C4\u5219, \u4F46 {1} \u5FC5\u987B.
-PasswordPolicy.INSUFFICIENT_COMPLEXITY=\u5BC6\u7801\u9047\u5230 {1} \u590D\u6742\u89C4\u5219, \u4F46 {2} \u5FC5\u987B.
-PasswordPolicy.INSUFFICIENT_COMPLEXITY_RULES=\u6CA1\u6709\u914D\u7F6E\u5BC6\u7801\u957F\u5EA6\u89C4\u5219 {0}.
-PasswordPolicy.SOURCE_VIOLATION=\u5BC6\u7801\u4E0D\u80FD\u5305\u542B {0} \u5BC6\u7801.
-PasswordPolicy.TOO_LONG=\u5BC6\u7801\u5FC5\u987B\u5C0F\u4E8E {1} \u4F4D\u5B57\u7B26.
-PasswordPolicy.TOO_SHORT=\u5BC6\u7801\u81F3\u5C11 {0} \u4F4D\u5B57\u7B26.
-PasswordPolicy.TOO_MANY_OCCURRENCES=\u5BC6\u7801\u5305\u542B {2}\u51FA\u73B0 '{0}', \u6700\u591A {3} \u6B21.
\ No newline at end of file
+PasswordPolicy.HISTORY_VIOLATION=\u5bc6\u7801\u5339\u914d\u4e86{0}\u5386\u53f2\u5bc6\u7801.
+PasswordPolicy.ILLEGAL_WORD=\u5bc6\u7801\u5305\u542b\u5728\u5bc6\u7801\u5b57\u5178'{0}'.
+PasswordPolicy.ILLEGAL_WORD_REVERSED=\u5bc6\u7801\u5305\u542b\u5728\u5bc6\u7801\u5b57\u5178\u5012\u5e8f'{0}'.
+PasswordPolicy.ILLEGAL_DIGEST_WORD=\u5bc6\u7801\u5305\u542b\u5728\u5b57\u5178\u4e2d.
+PasswordPolicy.ILLEGAL_DIGEST_WORD_REVERSED=\u5bc6\u7801\u5305\u542b\u5728\u5b57\u5178\u5012\u5e8f\u4e2d.
+PasswordPolicy.ILLEGAL_MATCH=\u5bc6\u7801\u5339\u914d\u975e\u6cd5\u89c4\u5219'{0}'.
+PasswordPolicy.ALLOWED_MATCH=\u5bc6\u7801\u5fc5\u987b\u5339\u914d\u89c4\u5219'{0}'.
+PasswordPolicy.ILLEGAL_CHAR=\u5bc6\u7801{1}\u5305\u542b\u975e\u6cd5\u5b57\u7b26'{0}'.
+PasswordPolicy.ALLOWED_CHAR=\u5bc6\u7801{1}\u975e\u6cd5\u5b57\u7b26'{0}'.
+PasswordPolicy.ILLEGAL_QWERTY_SEQUENCE=\u5bc6\u7801\u5305\u542b\u952e\u76d8\u5e8f\u5217'{0}'.
+PasswordPolicy.ILLEGAL_ALPHABETICAL_SEQUENCE=\u5bc6\u7801\u5305\u542b\u5b57\u7b26\u5e8f\u5217'{0}'.
+PasswordPolicy.ILLEGAL_NUMERICAL_SEQUENCE=\u5bc6\u7801\u5305\u542b\u6570\u5b57\u5e8f\u5217'{0}'.
+PasswordPolicy.ILLEGAL_USERNAME=\u5bc6\u7801\u4e0d\u80fd\u5305\u542b\u767b\u5f55\u540d{0}.
+PasswordPolicy.ILLEGAL_USERNAME_REVERSED=\u5bc6\u7801{1} \u5305\u542b\u767b\u5f55\u540d{0}\u5012\u5e8f.
+PasswordPolicy.ILLEGAL_WHITESPACE=\u5bc6\u7801{1}\u5305\u542b\u7a7a\u683c.
+PasswordPolicy.ILLEGAL_NUMBER_RANGE=\u5bc6\u7801{1}\u6570\u5b57 '{0}'.
+PasswordPolicy.ILLEGAL_REPEATED_CHARS=\u5bc6\u7801{2}\u5e8f\u5217{0}\u6216\u8005\u591a\u4e2a\u5b57\u7b26, \u4f46{1}\u5141\u8bb8:{3}\u6b21.
+PasswordPolicy.INSUFFICIENT_UPPERCASE=\u5bc6\u7801\u81f3\u5c11\u5305\u542b{0}\u4f4d\u5927\u5199\u5b57\u6bcd.
+PasswordPolicy.INSUFFICIENT_LOWERCASE=\u5bc6\u7801\u81f3\u5c11\u5305\u542b{0}\u4f4d\u5c0f\u5199\u5b57\u6bcd.
+PasswordPolicy.INSUFFICIENT_ALPHABETICAL=\u5bc6\u7801\u5305\u542b\u5b57\u7b26\u5e8f\u5217{0}.
+PasswordPolicy.INSUFFICIENT_DIGIT=\u5bc6\u7801\u81f3\u5c11\u5305\u542b{0}\u4f4d\u6570\u5b57\u5b57\u6bcd.
+PasswordPolicy.INSUFFICIENT_SPECIAL=\u5bc6\u7801\u81f3\u5c11\u5305\u542b{0}\u4f4d\u7279\u6b8a\u5b57\u7b26.
+PasswordPolicy.INSUFFICIENT_CHARACTERISTICS=\u5bc6\u7801\u5339\u914d {0} of{2}\u5b57\u7b26\u89c4\u5219, \u4f46{1} \u5fc5\u987b.
+PasswordPolicy.INSUFFICIENT_COMPLEXITY=\u5bc6\u7801\u9047\u5230{1}\u590d\u6742\u89c4\u5219, \u4f46{2}\u5fc5\u987b.
+PasswordPolicy.INSUFFICIENT_COMPLEXITY_RULES=\u6ca1\u6709\u914d\u7f6e\u5bc6\u7801\u957f\u5ea6\u89c4\u5219 {0}.
+PasswordPolicy.SOURCE_VIOLATION=\u5bc6\u7801\u4e0d\u80fd\u5305\u542b{0}\u5bc6\u7801.
+PasswordPolicy.TOO_LONG=\u5bc6\u7801\u6700\u591a{1}\u4f4d\u5b57\u7b26.
+PasswordPolicy.TOO_SHORT=\u5bc6\u7801\u81f3\u5c11{0}\u4f4d\u5b57\u7b26.
+PasswordPolicy.TOO_MANY_OCCURRENCES=\u5bc6\u7801\u5305\u542b{0}\u51fa\u73b0{1}, \u6700\u591a{2} \u6b21.
+PasswordPolicy.OLD_PASSWORD_NOT_MATCH=\u539f\u5bc6\u7801\u4e0d\u5339\u914d.
+PasswordPolicy.CONFIRMPASSWORD_NOT_MATCH=\u65b0\u5bc6\u7801\u4e0e\u786e\u8ba4\u5bc6\u7801\u4e0d\u4e00\u81f4.
+PasswordPolicy.OLD_PASSWORD_MATCH=\u65b0\u5bc6\u7801\u4e0d\u80fd\u4e0e\u65e7\u5bc6\u7801\u4e00\u81f4.
\ No newline at end of file
--- a/maxkey-core/src/main/resources/messages/passwordpolicy_message_en.properties
+++ b/maxkey-core/src/main/resources/messages/passwordpolicy_message_en.properties
@@ -27,4 +27,7 @@ PasswordPolicy.INSUFFICIENT_COMPLEXITY_RULES=No rules have been configured for a
 PasswordPolicy.SOURCE_VIOLATION=Password cannot be the same as your {0} password.
 PasswordPolicy.TOO_LONG=Password must be no more than {1} characters in length.
 PasswordPolicy.TOO_SHORT=Password must be {0} or more characters in length .
-PasswordPolicy.TOO_MANY_OCCURRENCES=Password contains {1} occurrences of the character '{0}', but at most {2} are allowed.
\ No newline at end of file
+PasswordPolicy.TOO_MANY_OCCURRENCES=Password contains {1} occurrences of the character '{0}', but at most {2} are allowed.
+PasswordPolicy.OLD_PASSWORD_NOT_MATCH=old password not match.
+PasswordPolicy.CONFIRMPASSWORD_NOT_MATCH=new password not match confirm password.
+PasswordPolicy.OLD_PASSWORD_MATCH=new password  match old password.
\ No newline at end of file
--- a/maxkey-core/src/main/resources/messages/passwordpolicy_message_zh_CN.properties
+++ b/maxkey-core/src/main/resources/messages/passwordpolicy_message_zh_CN.properties
 #password
-PasswordPolicy.HISTORY_VIOLATION=\u5BC6\u7801\u5339\u914D\u4E86 {0}\u5386\u53F2\u5BC6\u7801.
-PasswordPolicy.ILLEGAL_WORD=\u5BC6\u7801\u5305\u542B\u5728\u5BC6\u7801\u5B57\u5178'{0}'.
-PasswordPolicy.ILLEGAL_WORD_REVERSED=\u5BC6\u7801\u5305\u542B\u5728\u5BC6\u7801\u5B57\u5178\u5012\u5E8F'{0}'.
-PasswordPolicy.ILLEGAL_DIGEST_WORD=\u5BC6\u7801\u5305\u542B\u5728\u5B57\u5178\u4E2D.
-PasswordPolicy.ILLEGAL_DIGEST_WORD_REVERSED=\u5BC6\u7801\u5305\u542B\u5728\u5B57\u5178\u5012\u5E8F\u4E2D.
-PasswordPolicy.ILLEGAL_MATCH=\u5BC6\u7801\u5339\u914D\u975E\u6CD5\u89C4\u5219 '{0}'.
-PasswordPolicy.ALLOWED_MATCH=\u5BC6\u7801\u5FC5\u987B\u5339\u914D\u89C4\u5219 '{0}'.
-PasswordPolicy.ILLEGAL_CHAR=\u5BC6\u7801 {1} \u5305\u542B\u975E\u6CD5\u5B57\u7B26 '{0}'.
-PasswordPolicy.ALLOWED_CHAR=\u5BC6\u7801 {1} \u975E\u6CD5\u5B57\u7B26 '{0}'.
-PasswordPolicy.ILLEGAL_QWERTY_SEQUENCE=\u5BC6\u7801\u5305\u542B\u952E\u76D8\u5E8F\u5217 '{0}'.
-PasswordPolicy.ILLEGAL_ALPHABETICAL_SEQUENCE=\u5BC6\u7801\u5305\u542B\u5B57\u7B26\u5E8F\u5217'{0}'.
-PasswordPolicy.ILLEGAL_NUMERICAL_SEQUENCE=\u5BC6\u7801\u5305\u542B\u6570\u5B57\u5E8F\u5217 '{0}'.
-PasswordPolicy.ILLEGAL_USERNAME=\u5BC6\u7801\u4E0D\u80FD\u5305\u542B\u767B\u5F55\u540D {0}.
-PasswordPolicy.ILLEGAL_USERNAME_REVERSED=\u5BC6\u7801 {1} \u5305\u542B\u767B\u5F55\u540D {0} \u5012\u5E8F.
-PasswordPolicy.ILLEGAL_WHITESPACE=\u5BC6\u7801 {1} \u5305\u542B\u7A7A\u683C.
-PasswordPolicy.ILLEGAL_NUMBER_RANGE=\u5BC6\u7801 {1} \u6570\u5B57 '{0}'.
-PasswordPolicy.ILLEGAL_REPEATED_CHARS=\u5BC6\u7801 {2} \u5E8F\u5217  {0} \u6216\u8005\u591A\u4E2A\u5B57\u7B26, \u4F46 {1} \u8BB8:{3}\u6B21.
-PasswordPolicy.INSUFFICIENT_UPPERCASE=\u5BC6\u7801\u81F3\u5C11\u5305\u542B {0} \u4F4D\u5927\u5199\u5B57\u6BCD.
-PasswordPolicy.INSUFFICIENT_LOWERCASE=\u5BC6\u7801\u81F3\u5C11\u5305\u542B {0} \u4F4D\u5C0F\u5199\u5B57\u6BCD.
-PasswordPolicy.INSUFFICIENT_ALPHABETICAL=\u5BC6\u7801\u4FDD\u62A4\u5B57\u7B26\u5E8F\u5217{0}.
-PasswordPolicy.INSUFFICIENT_DIGIT=\u5BC6\u7801\u81F3\u5C11\u5305\u542B {0} \u4F4D\u6570\u5B57\u5B57\u6BCD.
-PasswordPolicy.INSUFFICIENT_SPECIAL=\u5BC6\u7801\u81F3\u5C11\u5305\u542B {0} \u4F4D\u7279\u6B8A\u5B57\u6BCD.
-PasswordPolicy.INSUFFICIENT_CHARACTERISTICS=\u5BC6\u7801\u5339\u914D {0} of {2}\u5B57\u7B26\u89C4\u5219, \u4F46 {1} \u5FC5\u987B.
-PasswordPolicy.INSUFFICIENT_COMPLEXITY=\u5BC6\u7801\u9047\u5230 {1} \u590D\u6742\u89C4\u5219, \u4F46 {2} \u5FC5\u987B.
-PasswordPolicy.INSUFFICIENT_COMPLEXITY_RULES=\u6CA1\u6709\u914D\u7F6E\u5BC6\u7801\u957F\u5EA6\u89C4\u5219 {0}.
-PasswordPolicy.SOURCE_VIOLATION=\u5BC6\u7801\u4E0D\u80FD\u5305\u542B {0} \u5BC6\u7801.
-PasswordPolicy.TOO_LONG=\u5BC6\u7801\u5FC5\u987B\u5C0F\u4E8E {1} \u4F4D\u5B57\u7B26.
-PasswordPolicy.TOO_SHORT=\u5BC6\u7801\u81F3\u5C11 {0} \u4F4D\u5B57\u7B26.
-PasswordPolicy.TOO_MANY_OCCURRENCES=\u5BC6\u7801\u5305\u542B {2}\u51FA\u73B0 '{0}', \u6700\u591A {3} \u6B21.
\ No newline at end of file
+PasswordPolicy.HISTORY_VIOLATION=\u5bc6\u7801\u5339\u914d\u4e86{0}\u5386\u53f2\u5bc6\u7801.
+PasswordPolicy.ILLEGAL_WORD=\u5bc6\u7801\u5305\u542b\u5728\u5bc6\u7801\u5b57\u5178'{0}'.
+PasswordPolicy.ILLEGAL_WORD_REVERSED=\u5bc6\u7801\u5305\u542b\u5728\u5bc6\u7801\u5b57\u5178\u5012\u5e8f'{0}'.
+PasswordPolicy.ILLEGAL_DIGEST_WORD=\u5bc6\u7801\u5305\u542b\u5728\u5b57\u5178\u4e2d.
+PasswordPolicy.ILLEGAL_DIGEST_WORD_REVERSED=\u5bc6\u7801\u5305\u542b\u5728\u5b57\u5178\u5012\u5e8f\u4e2d.
+PasswordPolicy.ILLEGAL_MATCH=\u5bc6\u7801\u5339\u914d\u975e\u6cd5\u89c4\u5219'{0}'.
+PasswordPolicy.ALLOWED_MATCH=\u5bc6\u7801\u5fc5\u987b\u5339\u914d\u89c4\u5219'{0}'.
+PasswordPolicy.ILLEGAL_CHAR=\u5bc6\u7801{1}\u5305\u542b\u975e\u6cd5\u5b57\u7b26'{0}'.
+PasswordPolicy.ALLOWED_CHAR=\u5bc6\u7801{1}\u975e\u6cd5\u5b57\u7b26'{0}'.
+PasswordPolicy.ILLEGAL_QWERTY_SEQUENCE=\u5bc6\u7801\u5305\u542b\u952e\u76d8\u5e8f\u5217'{0}'.
+PasswordPolicy.ILLEGAL_ALPHABETICAL_SEQUENCE=\u5bc6\u7801\u5305\u542b\u5b57\u7b26\u5e8f\u5217'{0}'.
+PasswordPolicy.ILLEGAL_NUMERICAL_SEQUENCE=\u5bc6\u7801\u5305\u542b\u6570\u5b57\u5e8f\u5217'{0}'.
+PasswordPolicy.ILLEGAL_USERNAME=\u5bc6\u7801\u4e0d\u80fd\u5305\u542b\u767b\u5f55\u540d{0}.
+PasswordPolicy.ILLEGAL_USERNAME_REVERSED=\u5bc6\u7801{1} \u5305\u542b\u767b\u5f55\u540d{0}\u5012\u5e8f.
+PasswordPolicy.ILLEGAL_WHITESPACE=\u5bc6\u7801{1}\u5305\u542b\u7a7a\u683c.
+PasswordPolicy.ILLEGAL_NUMBER_RANGE=\u5bc6\u7801{1}\u6570\u5b57 '{0}'.
+PasswordPolicy.ILLEGAL_REPEATED_CHARS=\u5bc6\u7801{2}\u5e8f\u5217{0}\u6216\u8005\u591a\u4e2a\u5b57\u7b26, \u4f46{1}\u5141\u8bb8:{3}\u6b21.
+PasswordPolicy.INSUFFICIENT_UPPERCASE=\u5bc6\u7801\u81f3\u5c11\u5305\u542b{0}\u4f4d\u5927\u5199\u5b57\u6bcd.
+PasswordPolicy.INSUFFICIENT_LOWERCASE=\u5bc6\u7801\u81f3\u5c11\u5305\u542b{0}\u4f4d\u5c0f\u5199\u5b57\u6bcd.
+PasswordPolicy.INSUFFICIENT_ALPHABETICAL=\u5bc6\u7801\u5305\u542b\u5b57\u7b26\u5e8f\u5217{0}.
+PasswordPolicy.INSUFFICIENT_DIGIT=\u5bc6\u7801\u81f3\u5c11\u5305\u542b{0}\u4f4d\u6570\u5b57\u5b57\u6bcd.
+PasswordPolicy.INSUFFICIENT_SPECIAL=\u5bc6\u7801\u81f3\u5c11\u5305\u542b{0}\u4f4d\u7279\u6b8a\u5b57\u7b26.
+PasswordPolicy.INSUFFICIENT_CHARACTERISTICS=\u5bc6\u7801\u5339\u914d {0} of{2}\u5b57\u7b26\u89c4\u5219, \u4f46{1} \u5fc5\u987b.
+PasswordPolicy.INSUFFICIENT_COMPLEXITY=\u5bc6\u7801\u9047\u5230{1}\u590d\u6742\u89c4\u5219, \u4f46{2}\u5fc5\u987b.
+PasswordPolicy.INSUFFICIENT_COMPLEXITY_RULES=\u6ca1\u6709\u914d\u7f6e\u5bc6\u7801\u957f\u5ea6\u89c4\u5219 {0}.
+PasswordPolicy.SOURCE_VIOLATION=\u5bc6\u7801\u4e0d\u80fd\u5305\u542b{0}\u5bc6\u7801.
+PasswordPolicy.TOO_LONG=\u5bc6\u7801\u6700\u591a{1}\u4f4d\u5b57\u7b26.
+PasswordPolicy.TOO_SHORT=\u5bc6\u7801\u81f3\u5c11{0}\u4f4d\u5b57\u7b26.
+PasswordPolicy.TOO_MANY_OCCURRENCES=\u5bc6\u7801\u5305\u542b{0}\u51fa\u73b0{1}, \u6700\u591a{2} \u6b21.
+PasswordPolicy.OLD_PASSWORD_NOT_MATCH=\u539f\u5bc6\u7801\u4e0d\u5339\u914d.
+PasswordPolicy.CONFIRMPASSWORD_NOT_MATCH=\u65b0\u5bc6\u7801\u4e0e\u786e\u8ba4\u5bc6\u7801\u4e0d\u4e00\u81f4.
+PasswordPolicy.OLD_PASSWORD_MATCH=\u65b0\u5bc6\u7801\u4e0d\u80fd\u4e0e\u65e7\u5bc6\u7801\u4e00\u81f4.
\ No newline at end of file
--- a/maxkey-core/src/test/java/org/maxkey/crypto/password/PasswordReciprocalTest.java
+++ b/maxkey-core/src/test/java/org/maxkey/crypto/password/PasswordReciprocalTest.java
@@ -32,7 +32,7 @@ public class PasswordReciprocalTest {
 		String epass=spe.encode(pass);
 		System.out.println("PasswordEncoder "+epass); 
 		
-		System.out.println(PasswordReciprocal.getInstance().decoder("bb2002b9f55b05d3e0e6f34ec5321051"));
+		System.out.println(PasswordReciprocal.getInstance().decoder("f1ee1e9b912f05333a06925c99daf9c0"));
 	}

 }
--- a/maxkey-persistence/src/main/java/org/maxkey/persistence/service/UserInfoService.java
+++ b/maxkey-persistence/src/main/java/org/maxkey/persistence/service/UserInfoService.java
@@ -183,7 +183,9 @@ public class UserInfoService extends JpaBaseService<UserInfo> {
 	public boolean changePassword(UserInfo userInfo) {
 		try {
 		    
-		    passwordPolicyValidator.validator(userInfo);
+		    if(passwordPolicyValidator.validator(userInfo) == false) {
+		        return false;
+		    }
 		    
 			if(WebContext.getUserInfo() != null) {
 				userInfo.setModifiedBy(WebContext.getUserInfo().getId());

--- a/maxkey-web-maxkey/src/main/java/org/maxkey/web/contorller/SafeController.java
+++ b/maxkey-web-maxkey/src/main/java/org/maxkey/web/contorller/SafeController.java
@@ -26,6 +26,7 @@ import org.maxkey.constants.ConstantsTimeInterval;
 import org.maxkey.crypto.ReciprocalUtils;
 import org.maxkey.crypto.password.PasswordReciprocal;
 import org.maxkey.domain.UserInfo;
+import org.maxkey.persistence.db.PasswordPolicyValidator;
 import org.maxkey.persistence.service.UserInfoService;
 import org.maxkey.util.StringUtils;
 import org.maxkey.web.WebConstants;
@@ -72,7 +73,10 @@ public class SafeController {
 			if(changeUserPassword(oldPassword,newPassword,confirmPassword)) {
 				return  new Message(WebContext.getI18nValue(ConstantsOperateMessage.UPDATE_SUCCESS),MessageType.success);
 			}else {
-				return  new Message(WebContext.getI18nValue(ConstantsOperateMessage.UPDATE_ERROR),MessageType.error);
+				return  new Message(
+				        WebContext.getI18nValue(ConstantsOperateMessage.UPDATE_ERROR)+"<br>"
+				        +WebContext.getAttribute(PasswordPolicyValidator.class.getName()),
+				        MessageType.error);
 			}	
 	}

@@ -83,17 +87,16 @@ public class SafeController {
 			@RequestParam(value ="confirmPassword",required = false) String confirmPassword) {
 			ModelAndView modelAndView=new ModelAndView("passwordExpired");
 	        if(newPassword ==null ||newPassword.equals("")) {
-	            UserInfo userInfo=WebContext.getUserInfo();
-	            modelAndView.addObject("model", userInfo);
-	            return modelAndView;
+	            
 	        }else if(changeUserPassword(oldPassword,newPassword,confirmPassword)){
 	            WebContext.getSession().setAttribute(WebConstants.CURRENT_LOGIN_USER_PASSWORD_SET_TYPE,ConstantsPasswordSetType.PASSWORD_NORMAL);
 				return WebContext.redirect("/index");
-				//modelAndView.setViewName("index");
 			}
 	        
-			new Message(WebContext.getI18nValue(ConstantsOperateMessage.UPDATE_ERROR),MessageType.error);
-		 
+			Object errorMessage=WebContext.getAttribute(PasswordPolicyValidator.class.getName());
+			UserInfo userInfo=WebContext.getUserInfo();
+            modelAndView.addObject("model", userInfo);
+            modelAndView.addObject("errorMessage", errorMessage==null?"":errorMessage);
 			return modelAndView;
 	}
 	
@@ -105,33 +108,53 @@ public class SafeController {
 			@RequestParam(value ="confirmPassword",required = false) String confirmPassword) {
 		ModelAndView modelAndView=new ModelAndView("passwordInitial");
        if(newPassword ==null ||newPassword.equals("")) {
-            UserInfo userInfo=WebContext.getUserInfo();
-            modelAndView.addObject("model", userInfo);
-            return modelAndView;
+            
        }else if(changeUserPassword(oldPassword,newPassword,confirmPassword)){
            WebContext.getSession().setAttribute(WebConstants.CURRENT_LOGIN_USER_PASSWORD_SET_TYPE,ConstantsPasswordSetType.PASSWORD_NORMAL);
 			return WebContext.redirect("/index");
-			//modelAndView.setViewName("index");
 		}
 		
-		  new Message(WebContext.getI18nValue(ConstantsOperateMessage.UPDATE_ERROR),MessageType.error);
-		  return modelAndView;
+        Object errorMessage=WebContext.getAttribute(PasswordPolicyValidator.class.getName());
+        modelAndView.addObject("errorMessage", errorMessage==null?"":errorMessage);
+        UserInfo userInfo=WebContext.getUserInfo();
+        modelAndView.addObject("model", userInfo);
+        return modelAndView;
 	}
 	
 	public boolean changeUserPassword(String oldPassword,
 									String newPassword,
 									String confirmPassword){
-		UserInfo userInfo =WebContext.getUserInfo();
+	    WebContext.setAttribute(PasswordPolicyValidator.class.getName(), "");
+		UserInfo userInfo = WebContext.getUserInfo();
+		UserInfo changeUserInfo = new UserInfo();
+		changeUserInfo.setUsername(userInfo.getUsername());
+		changeUserInfo.setPassword(newPassword);
+		changeUserInfo.setId(userInfo.getId());
+		changeUserInfo.setDecipherable(userInfo.getDecipherable());
 		_logger.debug("decipherable old : "+userInfo.getDecipherable());
 		_logger.debug("decipherable new : "+ReciprocalUtils.encode(PasswordReciprocal.getInstance().rawPassword(userInfo.getUsername(), newPassword)));
+		
 		if(newPassword.equals(confirmPassword)){
 			if(oldPassword==null || 
 					passwordEncoder.matches(oldPassword, userInfo.getPassword())){
-				userInfo.setPassword(newPassword);
-				userInfoService.changePassword(userInfo);
-				//TODO syncProvisioningService.changePassword(userInfo);
-				return true;
+				if(userInfoService.changePassword(changeUserInfo)) {
+				    userInfo.setPassword(changeUserInfo.getPassword());
+				    userInfo.setDecipherable(changeUserInfo.getDecipherable());
+				    return true;
+				}
+			}else {
+			    if(oldPassword!=null &&
+	                    passwordEncoder.matches(newPassword, userInfo.getPassword())) {
+			        WebContext.setAttribute(PasswordPolicyValidator.class.getName(), 
+	                        WebContext.getI18nValue("PasswordPolicy.OLD_PASSWORD_MATCH"));
+			    }else {
+			        WebContext.setAttribute(PasswordPolicyValidator.class.getName(), 
+			            WebContext.getI18nValue("PasswordPolicy.OLD_PASSWORD_NOT_MATCH"));
+			    }
 			}
+		}else {
+		    WebContext.setAttribute(PasswordPolicyValidator.class.getName(), 
+                    WebContext.getI18nValue("PasswordPolicy.CONFIRMPASSWORD_NOT_MATCH"));
 		}
 		return false;
 		

--- a/maxkey-web-maxkey/src/main/resources/templates/views/passwordExpired.ftl
+++ b/maxkey-web-maxkey/src/main/resources/templates/views/passwordExpired.ftl
@@ -21,7 +21,14 @@
 	  <table  class="table table-bordered"  >
 			<tbody>
 			<tr>
-				<th  colspan="2"><@locale code="login.password.expired.tip" /></th>
+				<th  colspan="2">
+					<@locale code="login.password.expired.tip" />
+				</th>
+			</tr>
+			<tr <#if ''==errorMessage>style="display:none;"</#if>>
+				<th  colspan="2" style="color:red;">
+					${errorMessage!}
+				</th>
 			</tr>
 			<tr>
 				<th><@locale code="userinfo.displayName" /> :</th>

--- a/maxkey-web-maxkey/src/main/resources/templates/views/passwordInitial.ftl
+++ b/maxkey-web-maxkey/src/main/resources/templates/views/passwordInitial.ftl
@@ -23,6 +23,11 @@
 			<tr>
 				<th  colspan="2"><@locale code="login.password.initial.change.tip" /></th>
 			</tr>
+			<tr <#if ''==errorMessage>style="display:none;"</#if>>
+				<th  colspan="2" style="color:red;">
+					${errorMessage!}
+				</th>
+			</tr>
 			<tr>
 				<th><@locale code="userinfo.displayName" /> :</th>
 				<td>