Enabling password invalidation

Password invalidation, when enabled, requires HCL Commerce users to change their password if the user's password is expired. In this case, the user is redirected to a page where they are required to change their password. Users are not able to access any secure pages on the site until they change their password.


  1. To use the password invalidation security feature, define the ChangePassword view for your store as described in Password invalidation.
  2. Open the HCL Commerce configuration file.
  3. Find the <PasswordInvalidation> element. Set the enabled attribute to true.
     <PasswordInvalidation enabled="true"/>

What to do next

Commands can be configured to be exempted from the password invalidation feature. By default, the following commands are exempt as they involve changing or resetting a users password:
  • ChangePassword
  • ResetPassword
  • AjaxResetPassword
  • PersonChangeServicePasswordReset
  • AjaxPersonChangeServicePasswordReset
Additional commands can be exempted by specifying the command in com.ibm.commerce.browseradapter.properties.PasswordInvalidationExemption.properties in the Enablement-BaseComponentsLogic.jar. For example, adding "Logoff" to this file exempts the Logoff command.

Additional commands can be exempted by specifying the command in a custom properties file \xml\PasswordInvalidationExemptionExtension.properties.