 | Redirection Notice This page should redirect to http://www.adaptavist.com/display/Plugins/User+Security+Management. |
 | This plugin is not designed for and has not been tested against external user management systems. This is intended to extend and enhance the basic internal user management options that Confluence offers out of the box |
Quote from the Author
Dan Hardiker says:
My "let's hack Confluence up" plugin last year was Scriptix - this year it's the user management plugin, which attempts to do it's best to work around XWork/Seraph Interceptors not being pluggable. Well, it works – just about!
Enjoy.
Description/Features
An enhancement for the Confluence user management system, to prompt better security practices - including email verification and admin vetting of signups.
This has been a long awaited feature strongly desired by enterprises who want to be able to please their security guys without having to integrate the proof-of-concept Confluence roll out with their cumbersome external user management systems. The issue of spammers creating accounts where public signup is enabled has also come up several times in our experience, even with CAPTCHA on.
The main features of this plugin are (all independently configurable):
Better Password Control
- A raft of password strength/complexity options
- Password expiry (so you can make sure your users change their password every x days)
- Password history lists (so you can make sure your user's don't change to a password they've used in the last x)
- Password minimum change (so you can enforce a password change only once a day)
Account Locking
If a user enters their password incorrectly x times then they can be locked out of the system (their password is changed and they have to use the forgotten password functionality, or contact an admin).
Better Login
You can hide the "remember me" functionality (helps combat CSRF as well as malicious access while you are AFK) and disable browser auto-complete functionality on the login form.
End User Agreements
You can now please your legal department and display the desired "unauthorised access is prohibited and will be met with the full extent of the law" or "the content in this system is classified as level x" messages to your users during login and sign up.
Forgotten Password Restrictions
If you have a paranoid nature, then you may wish to disable the forgotten password systems for certain groups of users (e.g. administrators). After all, if someone's email client has been breached, you certainly don't want to give a hacker access simply by allowing a new password to be emailed out.
The list of groups can either be a white list or a black list (defaulting to the latter).
Sign-up Email Filtering
You can set a list of regular expressions to form either a white list or a black list (defaulting to the latter) of email addresses that can be used. This is very useful for either only allowing those with email addresses from areas you want to sign up, or for filtering out people using free email accounts - while still allowing public sign up with no manual intervention.
Sign-up Admin Approvals and Email Verification
This has been a long awaited feature request - you can now make users wait for an email to come in and to click the link in it, and have an Administrator approve the sign up request before the user is ever created.
Use can use both features together, or one without the other.
Sensible Defaults
When you first install the plugin, all the options are disabled and you must enable each feature you want. It also cleanly uninstalls returning your system to how it was if you wish to revert. This is to ensure that you can install it safely and uninstall it if you don't want it any more.
Usage
- Install via the plugin repository, or manually.
- Select "configure" against the plugin, or the "Adaptavist User Management" option in on the bottom of the Admin console left-hand menu (you may need to refresh the repository to see it).
The options should be self explanitory, but let me know if you're not sure what any of the controls do and I'll try to split them up a bit better.
There is a page where you can see the users waiting for approval.
Comments (27)
Jul 01, 2010
Matthew Wilson says:
I was able to get this plugin working (mostly) in 3.2. You have to edit some of...I was able to get this plugin working (mostly) in 3.2. You have to edit some of the settings directly in the properties file. One thing I haven't been able to figure out is how to keep someone from using a space in their username. The activation email link will break when there is a space.
Sep 22, 2010
David Goldstein says:
Hi Dan & team. This is an excellent plugin. We need to do some bug fixing ...Hi Dan & team. This is an excellent plugin. We need to do some bug fixing & .vm replacement to the 3.x version just released, and it looks like the source is no longer available. Are you keeping this Open Source, or only for SLA customers going forward?
Source @ https://studio.plugins.atlassian.com/source/changelog/CUSM is only up to 1.1 release and tip of trunk is 2.x-ish.
Also, a feature request – a way to configure an admin email address that sign-up notifications are sent to. Is this available anywhere in 3.x? Right now looks like you have to check the wait list manually.
Thanks for sharing your work!
Sep 22, 2010
Keith Brophy says:
Hi David, Thanks for the feedback - always appreciated. Just to expand on Mar...Hi David,
Thanks for the feedback - always appreciated.
Just to expand on Mark's comment - we have moved the latest source in-house and are looking at adding the USM plugin to our [Plugin Pack]. Right now, we are releasing the latest binary updates to the general community, but we are looking to move to a staggered release cycle whereby our support clients enjoy earlier access to these releases.
This move aims to provide the community a more defined road-map of when to expect releases of our collection of plugins. Unfortunately, community contributions were low and the plugins did not always receive the attention they required due to other project commitments on our side. By bringing the plugins under the support umbrella, it is the goal to maintain the plugins with each release of Confluence.
Cheers,
Keith
Oct 21, 2010
Will Wray says:
We've noticed a couple of issues in doing a manual upgrade from 1.1 to 3.2.3 (up...We've noticed a couple of issues in doing a manual upgrade from 1.1 to 3.2.3 (upgrading confluence from 3.0.2 to 3.2.1_01).
The plugin repository has two list entries that seem to refer to this plugin;
Adaptavist User Management Plugin — Adaptavist.com Ltd Unknown Unsupported Non-repository Uninstall Configure
User Security Management Plugin — Adaptavist Free Adaptavist Available Install
Not being able to upgrade through the repository link I downloaded the plugin and then uploaded into Confluence.
The download came as user-management-plugin-3.2.3.zip which I had to rename to .jar before the upload would be recognised and installed by Confluence. After a restart the repository still shows the two list entries, though now upgraded to 3.2.3 - are they conflicting, and, if so, what do I do to sort it out.
We were getting locked out users before upgrading this plugin & not sure all is fixed yet.
Oct 21, 2010
Keith Brophy says:
Hi Will, User Security Management plugin version 3.2.3 is the latest version yo...Hi Will,
User Security Management plugin version 3.2.3 is the latest version you should use (I think the name may have changed somewhat from previous versions).
Unfortunately, Internet Explorer will download JAR files and rename them as ZIP files - this is something IE users need to be aware of when downloading such files.
It appears that the plugin upload process did not complete successfully in this case. I would suggest either:
We would recommend that all plugin upgrades be carried out on a test/staging instance in order to verify the plugin within each environment.
Also, in local testing, I can see the correct version of the latest User Security Management Plugin listed within the Plugin Repository and can install successfully - there may be another issue at hand in relation to not being able to install it this way within your environment.
Regards,
Keith
Oct 22, 2010
Will Wray says:
Thanks Keith - now I can remove the temporary entry but still can't install the ...Thanks Keith - now I can remove the temporary entry but still can't install the plugin.
Here are the confluence log entries when I try to upload user-management-plugin-3.2.3.jar;
2010-10-22 15:36:09,289 WARN [http-8080-15] [plugin.repository.utils.DownloadUtils] isNonProxyHost The system property http.nonProxyHost is set. You probably meant to set http.nonProxyHosts.
– referer: http://wiki.mycompany.com/confluence/admin/plugin-repository/plugins.action | url: /confluence/plugins/servlet/plugin-repository/dwr/exec/RepositoryDWR.startCaching.dwr | userName: myusername
2010-10-22 15:53:07,962 ERROR [http-8080-4] [atlassian.plugin.loaders.ScanningPluginLoader] deployPluginFromUnit Unable to deploy plugin 'null', file Unit: /apps/confluence/data/plugin-cache/1287759187961upload_56fb1f49_12bd45cb796__7f92_00000003.tmp (1287759187000)
– referer: http://wiki.mycompany.com/confluence/admin/plugin-repository/upload.action?decorator=none | url: /confluence/admin/plugin-repository/upload.action | userName: myusername | action: upload
java.lang.IllegalArgumentException: The artifact URI file:/apps/confluence/data/plugin-cache/1287759187961upload_56fb1f49_12bd45cb796__7f92_00000003.tmp is not a valid plugin artifact
Confluence reports a successful upload but, clearly, the plugin is not being recognised.
It just creates another temporary upload entry for me to remove.
(I remove the temporary plugin entry by connecting to the database and using SQL commands according to the Confluence documentation link you reference, Removing Malfunctioning Plugins)
You are right that there is another issue that is not allowing me to install via the plugin repository, otherwise I would just click install!
Any ideas?
Oct 22, 2010
Keith Brophy says:
Hi Will, I would recommend ensuring that the plugin has been removed in full fr...Hi Will,
I would recommend ensuring that the plugin has been removed in full from all file system locations including the database. Once the plugin is removed, I would suggest restarting Confluence and verifying that the plugin is not listed within the system's plugin listing nor the database - verifying that the error does not appear in the logs. A similar issue is noted here - it may be that the ZIP file caused a bad plugin installation attempt.
I would then suggest downloading the plugin file from PAC again - ensuring that it is named a JAR file and attempt installation again - tailing the logs for any error messages.
Beyond that, I would need to suggest considering our support or consultancy services for a more in-depth investigation of the problem. Please do contact us should you require further information in that respect.
Regards,
Keith
Nov 03, 2010
Mark Earlam says:
You will notice lots of comments have been deleted to make the page easier to re...You will notice lots of comments have been deleted to make the page easier to read.
A new release has been uploaded (3.2.6) and addresses two main problems:
New plugin: https://plugins.atlassian.com/plugin/details/4926
Nov 03, 2010
Jeff Wilbert says:
The link to the plugin shown above is incorrect. It should be as follows: https:...The link to the plugin shown above is incorrect. It should be as follows:
https://plugins.atlassian.com/plugin/details/4926
Nov 03, 2010
Mark Earlam says:
Cheers Jeff, the link has been changed.Cheers Jeff, the link has been changed.
Nov 03, 2010
Joseph Mocker says:
Anyone have problems uninstalling the 3.2.3 version of the plugin? In my case, t...Anyone have problems uninstalling the 3.2.3 version of the plugin? In my case, the 3.2.3 version is named "Adaptavist User Management Plugin" (whereas the current version is named "User Security Management Plugin".)
There is no upgrade button in my case, so when I attempt to uninstall in order to install the current version, I get the error
And, if I just attempt to install the current version anyways, I get the warnings
Any suggestions?
Nov 03, 2010
Joseph Mocker says:
Hmm, something is strange here, I decided to go ahead and install the plugin, us...Hmm, something is strange here, I decided to go ahead and install the plugin, using the Plugin Repository to install the plugin named "User Security Management Plugin". I get the warning from my previous comment.
And once the plugin is installed, and I go back and list my plugins, there is a plugin named "Adaptavist User Management Plugin" listed as Installed and version 3.2.6.
And the "User Security Management Plugin" is still listed as uninstalled.
The plugin appears to function correctly, but its a little alarming.
Anyone else see this behavior?
Nov 04, 2010
Mark Earlam says:
Hi Joseph, Which version of confluence are you using?Hi Joseph,
Which version of confluence are you using?
Nov 04, 2010
Joseph Mocker says:
I'm using version 3.3.1.I'm using version 3.3.1.
Nov 23, 2010
Keith Brophy says:
Hi Joseph, It appears that plugins.atlassian.com had been updated with the wron...Hi Joseph,
It appears that plugins.atlassian.com had been updated with the wrong plugin key - this should now be addressed.
Regards,
Keith
Feb 04, 2011
dan pritts says:
Hi thanks for the plugin. we find it useful. We're a little confused by these...Hi thanks for the plugin. we find it useful.
We're a little confused by these two options:
Force email address confirmation
Require email address verification
I'm guessing "force confirmation" requires the user to click a link to activate their account, although we haven't tried it yet.
From what we can tell, "Require email address verification" just sends an e-mail to the user. It's unclear what the point of this is.
Feb 09, 2011
Samael Bate says:
Hi Dan, Address confirmation forces the user to type their email address in twi...Hi Dan,
Address confirmation forces the user to type their email address in twice during signup to ensure it is typed in correctly. The verification is the option that sends the user the email.
Feb 09, 2011
dan pritts says:
Ah, that makes sense. thanks for the clarification. We had assumed that the ve...Ah, that makes sense. thanks for the clarification.
We had assumed that the verification step would include a link for the user to click once they received the email; this doesn't seem to happen. Am I missing something, or is this just the way it is?
confluence 3.3.3, latest version of plugin from plugin repo.
thanks!
Feb 10, 2011
Samael Bate says:
The verification option will send out an email which you can specify the body an...The verification option will send out an email which you can specify the body and title of, however there is no confirmation link.
Feb 04, 2011
Pete Indelicato says:
Just had a user who got locked out again (e.g. even setting his password manuall...Just had a user who got locked out again (e.g. even setting his password manually didn't work). Turned off the captcha and all is well....
Feb 07, 2011
Keith Brophy says:
Hi Pete, Thanks for this report - can you please confirm that you are running w...Hi Pete,
Thanks for this report - can you please confirm that you are running with the latest (3.2.6) plugin? We had a bug in relation to this area that has since been marked as fixed in 3.2.6. If you can confirm the bug still occurs, I can re-open the issue for further investigation.
Regards,
Keith
Feb 10, 2011
Pete Indelicato says:
Hi Guys, I have a pretty important (valuable) enhancement request. As you ca...Hi Guys,
I have a pretty important (valuable) enhancement request.
As you can imagine, most Confluence orgs have multiple spaces and various groups with various access to those spaces.
It would be great if you could prompt the user for additional information as part of registration like "What spaces are you interested in? [list]" or "what are you looking for on this confluence site? [text area]?"
Then, if that info was shown on their user profile page, it would make it easier to know which groups a user should be assigned to.
Make sense?
Thanks!
p.s. I upgraded and have not see the "lock out" issue since.
Feb 15, 2011
Keith Brophy says:
Thanks for the update, Pete. Your idea certainly sounds interesting - we have d...Thanks for the update, Pete.
Your idea certainly sounds interesting - we have developed a number of user profile extensions in the past, but not linked to the sign-in process as you have described.
We generally look to maintain the current functionality of these plugins and rely on clients commissioning projects that can take the plugins in new directions. Please do let me know if you are interested in pursing that route further via the contact us form.
Apr 05, 2011
Mark Halvorson says:
I selected the "Require email address verification" option and the email sends c...I selected the "Require email address verification" option and the email sends correctly, however, it does not contain a link. Do I need to put the link in the body of the email?
Apr 28, 2011
Francis Martens says:
Same question - can you provide an example of such "Email address verification e...Same question - can you provide an example of such "Email address verification email body"
Francis
Apr 29, 2011
Francis Martens says:
Hi, We had to deinstall the plugin cause we couldn't login as an administrator ...Hi,
We had to deinstall the plugin cause we couldn't login as an administrator anymore.
It was still possible to log into the system as a non confluence-administrator.
Given that we had no access as administrator, we had to bring down confluence, go into the db and remove the entry from PLUGINDATA, remove the plugin from the plugins directories and start confluence again.
Once that the plugin was removed, we could login as administrator.
Anyone a clue on what could have happened ?
Francis
May 24, 2011
Emil Kastbjerg says:
Hi Thank you for a fine plugin! We are a little puzzled that the only values a...Hi
Thank you for a fine plugin!
We are a little puzzled that the only values available for Password expiry are in the range 1 day to 4 weeks. Or did I miss a customization option?
Is it possible for you to add 3 months as an option? This option would make our users very happy
Best regards,
Emil Kastbjerg