HaveIBeenPwnedRule setAllowExposed method example

Posted in Passay

In previous post under Passay, I showed with example how to use “HaveIBeenPwnedRule” rule.

In this post, I will explain with example the purpose of “setAllowExposed” method of “HaveIBeenPwnedRule” rule class.

Just for recap, there is a website “haveibeenpwned.com” that contains a list of real world passwords that were previously used and exposed as part of data breaches. This rule will check user entered
password against that database. If password is already present, the rule validation fails otherwise it passes.

Sometimes even though the user entered password is in database we still want to continue with that password. We know that hackers can easily login into the account using the password under validation. But
we still want to allow the password. That is where “setAllowExposed” method of “HaveIBeenPwnedRule” rule comes into picture.

This method takes a boolean value as an argument. If set to true and if the password is present in the database, the password validation still passes and if it set to false, the password validation fails.

Below is the complete main code for your reference

Main class

1  package defaultPackage;
2  
3  import org.passay.HaveIBeenPwnedRule;
4  import org.passay.PasswordData;
5  import org.passay.PasswordValidator;
6  import org.passay.RuleResult;
7  
8  public class Example10 {
9      public static void main(String[] args) {
10         HaveIBeenPwnedRule haveIBeenPwnedRule = new HaveIBeenPwnedRule("appName");
11         PasswordValidator passwordValidator = new PasswordValidator(haveIBeenPwnedRule);
12         
13         PasswordData passwordData = new PasswordData("password");
14         RuleResult ruleResult = passwordValidator.validate(passwordData);
15         System.out.println("Result of password validation: " + ruleResult.isValid());
16         System.out.println("--------------------------------------");
17         
18         haveIBeenPwnedRule.setAllowExposed(true);
19         passwordValidator = new PasswordValidator(haveIBeenPwnedRule);
20         
21         passwordData = new PasswordData("password");
22         ruleResult = passwordValidator.validate(passwordData);
23         System.out.println("Result of password validation: " + ruleResult.isValid());
24         System.out.println("--------------------------------------");
25     }
26 }

In the above, at line 10, I create an instance of “HaveIBeenPwnedRule” rule class.

At line 11, I created an instance of “PasswordValidator” passing an instance of “HaveIBeenPwnedRule” class.

At line 13, I create an instance of “PasswordData” with password being “password”.

Note by default “setAllowExposed” is false so we are not setting it explicitly.

At line 14, I validate hard coded password.

In case of our first test, the validation fails.

Then at line 18, I call “setAllowExposed” of “HaveIBeenPwnedRule” instance and set it “true”.

That means we are telling password validator to allow the password even if it is exposed.

At line 19, I create a new instance of “PasswordValidator” passing the modified rule instance as an argument.

At line 21, I create an instance of “PasswordData” again with password being “password”.

At line 22, I again validate the hard coded password.

In case of our second test, the validation passes.

In this way we can use “HaveIBeenPwnedRule” class “setAllowExposed” method.

Unknown's avatar

Published by sumanthprabhakar

Leave a comment