Enabling password invalidation

Password invalidation, when enabled, requires WebSphere Commerce users to change their password if the user's password is expired. In this case, the user is redirected to a page where they are required to change their password. Users are not able to access any secure pages on the site until they change their password.


  1. To use the password invalidation security feature, define the ChangePassword view for your store as described in Password invalidation.
  2. Open the Configuration Manager.
  3. Traverse to the Password Invalidation node for your instance as follows: WebSphere Commerce > node_name > Commerce > Instance List > instance_name > Instance Properties > Password Invalidation
  4. To activate the password invalidation feature, click the Enable check box.
  5. To apply your changes to Configuration Manager, click Apply.
    After you successfully update the configuration for your instance, you will receive a message that indicates the update is successful.
  6. Restart your WebSphere Commerce instance.

What to do next

Commands can be configured to be exempted from the password invalidation feature. By default, the following commands are exempt as they involve changing or resetting a users password:
  • ChangePassword
  • ResetPassword
  • AjaxResetPassword
  • PersonChangeServicePasswordReset
  • AjaxPersonChangeServicePasswordReset
Additional commands can be exempted by specifying the command in com.ibm.commerce.browseradapter.properties.PasswordInvalidationExemption.properties in the Enablement-BaseComponentsLogic.jar. For example, adding "Logoff" to this file exempts the Logoff command.

WebSphere Commerce Version commands can be exempted by specifying the command in a custom properties file WC_eardir\xml\PasswordInvalidationExemptionExtension.properties.