Problem

API Portal is documented to apply the password complexity restrictions from API Manager, but does not appear to be doing so.

Resolution

First, make sure that you have API Portal 7.5.5 SP8, 7.6.2 SP1 or a later version to make sure that API Portal is trying to apply the rules at all. Then make sure to edit the validatePassword function in both app.config files, namely /apigateway/webapps/apiportal/vordel/apiportal/app/app.config and /apigateway/webapps/apiportal/vordel/apiportal/app-login/app.config

Finally, API Portal assumes that the function will consist of a single-line regex, similar to the sample in the app.config file and it will not work if it is anything else. Some older versions may also fail if comments or spaces are added to the function. The working sample given below will match any password that matches all of the following restrictions:

• Contains digits: (?=.*?\d)
• Contains lowercase letters: (?=.*?[a-z])
• Contains uppercase letters: (?=.*?[A-Z])
• Contains symbols that are neither letters nor numbers: (?=.*?[^A-Za-z0-9])
• Is between eight and sixteen characters long, inclusive: .{8,16}

The regex anchors for start of string ^ and end of string $ are necessary or the maximum length restriction will not work. Non-greedy matching has been used to make the regex execute faster by avoiding backtracking. It is recommended to validate regexes in a regex testing tool prior to use.

validatePassword: function(password) {
  return /^(?=.*?\d)(?=.*?[a-z])(?=.*?[A-Z])(?=.*?[^A-Za-z0-9]).{8,16}$/.test(password);
},