Hi Gurus, I don't think that option 2 will work because the AuthenticationManager will notice that the password is expired and not let the user in.
I think that the main problem here is actually that Acegi don't let the user in. So an idea is that I always should set the credentialsNonExpired to 'true' so the user is logged in. Then I should have a filter that checks the passwordExpires field which I have in my UserDetails object and if expired redirect the user to the change password page. What do you think about this? Regards Gunnar > -----Ursprungligt meddelande----- > Från: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > För [EMAIL PROTECTED] > Skickat: den 4 oktober 2006 14:44 > Till: [email protected] > Ämne: Re: [Acegisecurity-developer] How to prevent brute force attack > > It seems that you should only be able to access the "change > password" page if you are either: > > 1.) Previously successfully authenticated > 2.) Required to authenticate as part of change password. > > In the case of #1, you're okay because you only need ensure > that the user who's password is being changed is currently > authenticated. > > In the case of #2, change password should trigger > authentication prior to persisting the modified user > password. This particular element represents business logic > within your application and could (perhaps -- I've not tried > this) be performed by injecting the AuthenticationManager > into your backing bean and asking it to perform the normal > authentication procedure prior to executing the password > change in the database. > > After examining your use case, it seems like you should force > the brand new user to authenticate the first time with > whatever random password your user creation algorithm is > setting their initial password to. Upon that initial > authentication, you can evaluate that the user is past expiry > and redirect to the password change page. Alternatively (and > preferably, additionally), the user can be forced to enter > the temporary initial password on the change password screen. > > So, I guess my interpretation of the "best practice" for > password change is that the user must already be > authenticated or must undergo authentication prior to > password change. That will insulate you from exposure in the > same way as your standard login flow does. > > -jason > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of [EMAIL PROTECTED] > Sent: Wednesday, October 04, 2006 8:26 AM > To: [email protected] > Subject: Re: [Acegisecurity-developer] How to prevent brute > force attack > > Hi Jason, > > I've already done this for the login page, but I don't know > how to do it for my change password page. > > Regards > Gunnar > > > > -----Ursprungligt meddelande----- > > Från: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > För [EMAIL PROTECTED] > > Skickat: den 4 oktober 2006 14:19 > > Till: [email protected] > > Ämne: Re: [Acegisecurity-developer] How to prevent brute > force attack > > > > In familiar implementations, we've implemented the acegi > > UserDetailsService object to translate user information > drawn from the > > application's database into a compatible Authentication > object. This > > gives us the opportunity to set the user's access flags > based on our > > business rules (such as determining password expiry). > > > > Additionally, acegi will drop an event on spring when > authentication > > succeeds or fails. The failure message will include the exception > > detailing the authentication failure. > > You can use this to determine what the conditions of the > > authentication attempt were and take action accordingly (such as > > locking the user after a number of bad password attempts) > > > > -jason > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > On Behalf Of [EMAIL PROTECTED] > > Sent: Wednesday, October 04, 2006 8:12 AM > > To: [email protected] > > Subject: Re: [Acegisecurity-developer] How to prevent brute force > > attack > > > > Hi Luke! > > > > Answers inline. > > > > Regards > > Gunnar > > > > > -----Ursprungligt meddelande----- > > > Från: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] > > > För Luke Taylor > > > Skickat: den 4 oktober 2006 13:42 > > > Till: [email protected] > > > Ämne: Re: [Acegisecurity-developer] How to prevent brute > > force attack > > > > > > You should still be required to authenticate first to change your > > > password (or at the same time as the change request is > > submitted), so > > > you should be able to lock the account after 3 failures here too. > > > > Can you explain more how I should do that? > > > > > How is the data stored for password expiry times etc? > > > > The expiry time is stored in a sybase database. > > I've created a new JdbcDaoImpl to add some more data to the > > UserDetails object. > > > > > > > > > > [EMAIL PROTECTED] wrote: > > > > Hi Gurus! > > > > > > > > How can I prevent a brute force attack on my password > > > change jsp page? > > > > > > > > Background: > > > > I've successfully secured a jsp/perl web application. > > > > Thanks to all acegi developers for this fine piece of software! > > > > > > > > The login jsp page is protected against brute force by > > > leveraging the > > > > application event publishing features so the account is > > > locked for 30 > > > > minutes after three failed logins. > > > > BTW I can't find any documentation for application event > > > publishing in > > > > the 1.0.0 manual. > > > > > > > > My question is how I can do something similar to prevent > > > the password > > > > change page? > > > > > > > > The password change page is open to role anonymous because > > > when a new > > > > user is entered in the system; password expired is set to a > > > past date > > > > to force the user to change the password the first time. > > > > > > > > Are there any best practices to handle changes of passwords? > > > > > > > > Regards > > > > Gunnar > > > > > > > > > > > > > -- > > > Luke Taylor. Monkey Machine Ltd. > > > PGP Key ID: 0x57E9523C http://www.monkeymachine.ltd.uk > > > > > > > > > -------------------------------------------------------------- > > > ----------- > > > Take Surveys. Earn Cash. Influence the Future of IT Join > > > SourceForge.net's Techsay panel and you'll get the chance > to share > > > your opinions on IT & business topics through brief > surveys -- and > > > earn cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge > > &CID=DEVDEV > > > _______________________________________________ > > > Home: http://acegisecurity.org > > > Acegisecurity-developer mailing list > > > [email protected] > > > > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > > > > > > > -------------------------------------------------------------- > > ----------- > > Take Surveys. Earn Cash. Influence the Future of IT Join > > SourceForge.net's Techsay panel and you'll get the chance to share > > your opinions on IT & business topics through brief surveys -- and > > earn cash > > http://www.techsay.com/default.php?page=join.php&p=sourceforge > &CID=DEVDEV > > _______________________________________________ > > Home: http://acegisecurity.org > > Acegisecurity-developer mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > > > > -------------------------------------------------------------- > > ----------- > > Take Surveys. Earn Cash. Influence the Future of IT Join > > SourceForge.net's Techsay panel and you'll get the chance to share > > your opinions on IT & business topics through brief surveys -- and > > earn cash > > http://www.techsay.com/default.php?page=join.php&p=sourceforge > &CID=DEVDEV > > _______________________________________________ > > Home: http://acegisecurity.org > > Acegisecurity-developer mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > > > > -------------------------------------------------------------- > ----------- > Take Surveys. Earn Cash. Influence the Future of IT Join > SourceForge.net's Techsay panel and you'll get the chance to > share your opinions on IT & business topics through brief > surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge > &CID=DEVDEV > _______________________________________________ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > > -------------------------------------------------------------- > ----------- > Take Surveys. Earn Cash. Influence the Future of IT Join > SourceForge.net's Techsay panel and you'll get the chance to > share your opinions on IT & business topics through brief > surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge > &CID=DEVDEV > _______________________________________________ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
