Issue: Implement Configurable Password Policy Enforcement

Overview

We need to add password policy enforcement to the Spring User Framework to enhance security and compliance. The framework already includes the Passay library as a dependency, but it's not currently being used for password validation. This feature will enable applications to enforce configurable password complexity requirements during registration and password changes.

Objective

Implement a flexible, configuration-driven password policy enforcement system that validates user passwords against customizable rules.

Requirements

Core Functionality

• Create a PasswordPolicyService to validate passwords against configured rules
• Integrate password validation in all relevant flows:
  • User registration
  • Password reset
  • Password change
• Provide clear, user-friendly error messages for validation failures

Configuration Options

Add the following password policy configurations to application.yml:

user:
  security:
    password:
      enabled: true                 # Enable/disable password policy enforcement
      min-length: 8                 # Minimum password length
      max-length: 128               # Maximum password length
      require-uppercase: true       # Require at least one uppercase character
      require-lowercase: true       # Require at least one lowercase character
      require-digit: true           # Require at least one digit
      require-special: true         # Require at least one special character
      special-chars: "!@#$%^&*()_-+={}[]|:;<>,.?"  # Allowed special characters
      prevent-common-passwords: true # Prevent use of common passwords (dictionary check)
      history-count: 3              # Number of previous passwords to prevent reuse
      similarity-threshold: 70      # Percentage of similarity allowed with username/email

Technical Implementation

1. Create a PasswordPolicy configuration class to map properties from application.yml
2. Implement PasswordPolicyService using Passay to create and apply validation rules
3. Add a custom validator for form submissions using Spring's Validation framework
4. Implement password history tracking for the reuse prevention feature
5. Update existing password-related endpoints to use the new validation service
6. Add detailed validation error messages to message properties for internationalization

UI/UX Considerations

• Add client-side validation feedback using JavaScript
• Provide password strength meter in UI
• Display clear instructions about password requirements to users
• Show specific validation errors when password rules are violated

Testing Requirements

• Unit tests for PasswordPolicyService with various configuration scenarios
• Integration tests for password validation during registration/reset flows
• Test cases for custom password dictionaries and edge cases

Documentation

• Update Javadoc for all affected classes
• Add configuration documentation to README and CONFIG.md
• Create examples in the demo application showcasing different policy configurations

Acceptance Criteria

• All configured password policies are enforced during registration and password changes
• Clear, user-friendly error messages are displayed for validation failures
• Configuration changes in application.yml correctly affect validation behavior
• All tests pass with various password policy configurations
• Documentation is complete and accurate

Resources

• Passay Documentation
• OWASP Password Security Guidelines
• NIST Password Guidelines

Related Issues

• #XX - Implement account lockout after failed login attempts
• #XX - Add two-factor authentication support