To improve security in authentication services that support security policies, you select which policies to enable by using the Security policies tab of the authentication service. You define the details of each policy, such as the minimum password length and the duration of a one-time password, on the Security Policies landing page.
All authentication services use the PRAuth servlet. However, for
backward compatibility with earlier versions of Pega Platform, it is
possible to authenticate by using PRServlet instead of
PRAuth (in other words, the login URL includes
/prweb/PRServlet). When PRServlet is used,
security policies are enabled by using various controls on the Security
Policies landing page.
For more information on URL patterns and servlet names, see Application URL patterns for various authentication service types.
For authentication services, enablement of security policies occurs as described below:
- You enable specific policies from the Security policies tab for each authentication service, except for some that are always on, as noted below.
- The Enable frequently required policies check box on the Security Policies landing page has no effect.
- The Enable CAPTCHA Reverse Turing test module setting on the Security Policies landing page has no effect.
- The Audit policy on the Security Policies landing page is always in effect, as are the security alerts that are configured on the Security Event Configuration landing page.
- The Operator disablement policy on the Security Policies landing page is always in effect.
- The User consent policy is enabled and disabled by using the Security policies tab of the authentication service, but it does not appear on the Security Policies landing page.