We have a change request in which it is said that: When a user changes his password, it should be password that he has not used in the past three months. I have added a new attribute DatePasswordChange to our Account-entity (a Generalization of System.User) and added a new Entity AccountHistory which can log the password changes (related to entity Account) having attributes Password (HashString) and DatePasswordChange. So now each time the user changes his password, it is also logged to the AccountHistory entity. The point is that I should also check on change that the new password does not occur in the AccountHistory. We use SSHA256 (the salted hash algorithm), so I know I cannot textually compare the hashvalues because of the salt. I know now that a Java-action is needed, but does anyone have working example of the Java-code to do this? I have searched through the forum, and though some topics come close, none of them really seemed to provide a working example.
You have to compare before commit, the unhashed value against the hashed SSHA256 value. You have to iterate (direct xPath/OQL query is not possible) through the history and call the Java compare function that looks something like this:
to get a hash. The password history is only accessible for the owner user and only used in a microflow to find whether a password is already used. So we don't need to protect these hashes because they can not be read and analysed outside the system.