This tutorial demonstrates how to apply RQCODE to structure security requirements in an object-oriented way and translate them into executable code.
RQCODE provides a structured framework for defining, verifying, and enforcing security requirements. This tutorial uses a Password Policy example to demonstrate the key concepts.
- Consistency: Uniform enforcement of security requirements throughout the application
- Systematic Verification: Structured approach to verify and analyze security requirements
- Reusability: Security requirement templates can be reused across different applications
- Maintenance: Modular approach makes updates and modifications easier to manage
- Java Development Kit (JDK): Version 8 or higher (Download)
- IDE: IntelliJ IDEA recommended (Download)
- Clone the project:
git clone https://github.com/VeriDevOps/RQCODE.git
- Build: Import as Maven project in your IDE
classDiagram
class Checkable {
<<interface>>
+check() CheckStatus
}
class Requirement {
<<abstract>>
-statement: String
+check() CheckStatus
}
class CombinedRequirements {
<<abstract>>
#getRequirements() List~Requirement~
}
class PasswordMinimumLength {
-MIN_LENGTH: int = 8
-MAX_LENGTH: int = 64
-password: String
}
class PasswordComplexity {
-password: String
+hasUppercase() boolean
+hasLowercase() boolean
+hasDigit() boolean
+hasSpecialCharacter() boolean
}
class PasswordPolicy {
-requirements: List~Requirement~
}
class PasswordLockoutRequirement {
-MAX_FAILED_ATTEMPTS: int = 5
-LOCKOUT_DURATION_MS: long
}
class PasswordUpdateRequirement {
-PASSWORD_EXPIRATION_DAYS: int = 90
}
Checkable <|.. Requirement : implements
Requirement <|-- CombinedRequirements : extends
Requirement <|-- PasswordMinimumLength : extends
Requirement <|-- PasswordComplexity : extends
Requirement <|-- PasswordLockoutRequirement : extends
Requirement <|-- PasswordUpdateRequirement : extends
CombinedRequirements <|-- PasswordPolicy : extends
Passwords must meet length constraints:
| Check | Description |
|---|---|
| 1.1 | Passwords must be at least 8 characters long |
| 1.2 | Passwords must be no more than 64 characters long |
| 1.3 | Passwords should not be empty |
public class PasswordMinimumLength extends Requirement {
private static final int MIN_LENGTH = 8;
private static final int MAX_LENGTH = 64;
private String password;
public PasswordMinimumLength(String password) {
super("Requirement 1: Password Length Requirements");
this.password = password;
}
@Override
public CheckStatus check() {
// Verification logic
}
}Passwords must include character variety:
| Check | Description |
|---|---|
| 2.1.1 | One uppercase letter (A-Z) |
| 2.1.2 | One lowercase letter (a-z) |
| 2.1.3 | One digit (0-9) |
| 2.1.4 | One special character (!@#$%^&*) |
public class PasswordComplexity extends Requirement {
private String password;
private boolean hasUppercase() {
return password.chars().anyMatch(Character::isUpperCase);
}
private boolean hasLowercase() {
return password.chars().anyMatch(Character::isLowerCase);
}
private boolean hasDigit() {
return password.chars().anyMatch(Character::isDigit);
}
private boolean hasSpecialCharacter() {
return password.chars().anyMatch(ch -> "!@#$%^&*".indexOf(ch) >= 0);
}
@Override
public CheckStatus check() {
// Returns PASS only if all checks pass
}
}Prevents brute-force attacks:
- Maximum 5 consecutive failed login attempts
- 15-minute lockout duration after threshold reached
Ensures regular password rotation:
- Passwords must be updated every 90 days
The check() method returns one of three statuses:
| Status | Description |
|---|---|
PASS |
All requirements are satisfied |
FAIL |
One or more requirements are not met |
INCOMPLETE |
Verification cannot be executed (e.g., null password) |
The PasswordPolicy class extends CombinedRequirements to aggregate multiple requirements:
public class PasswordPolicy extends CombinedRequirements {
private final List<Requirement> requirements;
public PasswordPolicy(Requirement... requirements) {
this.requirements = Arrays.asList(requirements);
}
@Override
protected List<Requirement> getRequirements() {
return requirements;
}
}The combined check() method:
- Returns
PASSonly if all requirements pass - Returns the first non-passing status otherwise
Demonstrates password validation with length and complexity checks:
java -cp target/RQCODE-1.0.2-SNAPSHOT.jar rqcode.tutorial.MainFullExample output (PASS):
Enter Password: P@ssword123!
Requirement 1: Minimum Length
1.1: Passwords must be at least 8 characters long - PASS
1.2: Passwords must be no more than 64 characters long - PASS
1.3: Passwords should not be empty - PASS
Requirement 2: Complexity Requirements
2.1.1: One uppercase letter (A-Z) - PASS
2.1.2: One lowercase letter (a-z) - PASS
2.1.3: One digit (0-9) - PASS
2.1.4: One special character (!@#$%^&*) - PASS
Final Status: PASS
Example output (FAIL):
Enter Password: password
Requirement 1: Minimum Length
1.1: Passwords must be at least 8 characters long - PASS
1.2: Passwords must be no more than 64 characters long - PASS
1.3: Passwords should not be empty - PASS
Requirement 2: Complexity Requirements
2.1.1: One uppercase letter (A-Z) - FAIL
2.1.2: One lowercase letter (a-z) - PASS
2.1.3: One digit (0-9) - FAIL
2.1.4: One special character (!@#$%^&*) - FAIL
Final Status: FAIL
Demonstrates the account lockout mechanism:
java -cp target/RQCODE-1.0.2-SNAPSHOT.jar rqcode.tutorial.MainInteractive menu to:
- Simulate failed login attempts
- Reset failed attempts
- Check lockout status
| Class | Description |
|---|---|
MainFull |
Entry point for password policy verification demo |
Main |
Entry point for account lockout demo |
PasswordMinimumLength |
Verifies password length (8-64 characters) |
PasswordComplexity |
Verifies character complexity requirements |
PasswordPolicy |
Combines multiple requirements into one check |
PasswordLockoutRequirement |
Implements account lockout after failed attempts |
PasswordUpdateRequirement |
Verifies password is updated within 90 days |
PasswordStorage |
Helper class for storing password timestamps |