dev@glassfish.java.net

remove password length restrictions

From: Bill Shannon <bill.shannon_at_sun.com>
Date: Wed, 16 Sep 2009 15:40:04 -0700

This issue came up in our discussions of the issues related to removing
the anonymous user...

I need to change the requirements on password length. Currently passwords
are required to be at least 8 characters. Obviously the new default
password "" violates that requirement so at the very least I need to
allow empty passwords or 8+ character passwords.

Ideally, if there were constraints on the password, they would be based on
some pluggable policy, perhaps associated with the realm implementation,
and enforced on the server (not the client as they are today). I think
that's work for a future release...

Several people have been supportive of removing all restrictions on password
length. Unless I hear strong complaints otherwise, that's what I plan to do.