how to apply password constraint in oracle apps

How to implement (Signon Password Custom) Profile Option in Oracle Applications 11i / R12? 
Solution
1- Here is a sample code:  // Disclaimer:
// This sample is provided for educational purposes only. It is NOT supported 
// by Oracle World Wide Technical Support. The sample has been tested and 
// appears to work as intended. However, you should always test in YOUR 
// environment before relying on it. 
// 
// Source File Name: AppsPasswordValidationCUS.java 
// 

package oracle.apps.fnd.security; 

import oracle.apps.fnd.common.VersionInfo; 

// Referenced classes of package oracle.apps.fnd.security: 
// PasswordValidation 

public class AppsPasswordValidationCUS 
implements PasswordValidation 
{ 

public String getErrorStackApplicationName() 
{ 
return "FND"; 
} 

public String getErrorStackMessageName() 
{ 
return m_errorStackMessageName; 
} 

public boolean validate(String username, String password) 
{ 
if(password ==null || password.length() == 0 || username == null || username.length() == 0) 
{ 
m_errorStackMessageName = "PASSWORD-INVALID"; 
return false; 
} 
if(password.length() < 6) 
{ 
m_errorStackMessageName = "PASSWORD-INVALID-LENGTH"; 
return false; 
} 
if(!validateLettersAndDigits(password)) 
{ 
m_errorStackMessageName = "PASSWORD-INVALID-LETTER-NUMBER"; 
return false; 
} 
if(!validateNoUsername(username, password)) 
{ 
m_errorStackMessageName = "PASSWORD-INVALID-USERNAME"; 
return false; 
} 
if(!validateNoRepeats(password)) 
{ 
m_errorStackMessageName = "PASSWORD-INVALID-REPEATS"; 
return false; 
} 
return true; 
} 

private boolean validateLettersAndDigits(String p_password) 
{ 
boolean flag = false; 
boolean flag1 = false; 
for(int i = 0; i < p_password.length(); i++) 
{ 
if(Character.isLetter(p_password.charAt(i))) 
flag = true; 
if(Character.isDigit(p_password.charAt(i))) 
flag1 = true; 
} 

return flag && flag1; 
} 

private boolean validateNoUsername(String p_username, String p_password) 
{ 
return p_password.toUpperCase().indexOf(p_username.toUpperCase()) == -1; 
} 

private boolean validateNoRepeats(String p_password) 
{ 
for(int i = 1; i < p_password.length(); i++) 
if(p_password.charAt(i) == p_password.charAt(i - 1)) 
return false; 

return true; 
} 

private String m_errorStackMessageName; 

} 

2- Load the java class to the database using following command:

loadjava -user apps/apps -verbose -resolve -force AppsPasswordValidationCUS.java    Then run adadmin to recompile apps schema.

Note: You may need to put the custom class file in the Middle tier code tree under any directory under CLASSPATH containing oracle/apps/fnd/security sub directory).


 

3- You can execute the following select after running the loadjava command to verify that load was successful and class is valid.

    Just a check to confirm all went ok.


  SELECT dbms_java.longname(object_name), status 
  FROM user_objects
  WHERE object_type = 'JAVA CLASS' 
  AND dbms_java.longname(object_name) like '%AppsPasswordValidationCUS';
4- Update profile option (Signon Password Custom) for (Site) level to be:

oracle.apps.fnd.security.AppsPasswordValidationCUS

5- Make sure profile Signon Password Hard to Guess is blank.


Important Notice for Oracle Applications 11i Customers : 

1- About the setting level of Profile Option (Signon Password Custom), for the time being it is permitted only to set all the following profile options: 

SIGNON_PASSWORD_LENGTH 
SIGNON_PASSWORD_HARD_TO_GUESS 
SIGNON_PASSWORD_CUSTOM 
SIGNON_PASSWORD_NO_REUSE 
SIGNON_PASSWORD_FAILURE_LIMIT 
SIGNON_PASSWORD_CASE 

at (Site) level only as the validation is being done at (Site) level not other levels, but there is an Internal 

Bug 5162136 - HONOR USER LEVEL PASSWORD POLICY PROFILES 

that is not published through Metalink for that issue and the fix is available on Metalink through: 
Patch 5473858 - 11i.ATG_PF.H.RUP5

2- If you would like the users' password to be saved as case sensitive, you have only 2 options as following:

    - In case of having Patch 4676589 - 11i.ATG_PF.H.RUP4 applied, use profile option "Signon Password Case"

    - In case of having Patch 4334965 - 11i.ATG_PF.H RUP3 applied, use profile option "Password Case Option"

    For more information please refer to the following note:

    Note 393552.1 - How to Make the E-Business Password Case Sensitive?

3- In case if the above Java Class customized to contain validation of upper or lower letters in the user's password and even with setting of Profile option "Signon Password Case" or "Password Case Option" to "Sensitive", this part of validation will not work if and only if the E-Businees Instance that is being used is 11.5.10.2 with ATG RUP 3 , 4 or 5 applied. The fix for this issue is available through ATG RUP6 patch and at that time this part of validation will work perfectly: 

    Patch 5903765 - 11i.ATG_PF.H.RUP6
 


References
BUG:5846796 - AFTER SETTING UP SIGNON PASSWORD PROFILES, USERS UNABLE TO CHANGE OLD PASSWORD
NOTE:393552.1 - How to Make the E-Business Password Case Sensitive?