Form Based Authentication
Hello, We're currently using form-based authentication (i.e. auth-methodFORM/auth-method) but, as I suspect many people have found, it's rather limited. One requirement we have is enforced password changes in certain scenarios. Currently the approach we were thinking of using is as follows: a) the realm recognizes that the user has a mandatory password change flag set, and so gives them a degenerate set of roles; instead of their true role, they just have a MUST_CHANGE_PASSWORD role. b) a filter checks for the existance of this role, and if it's found, forces the user to go to our change password page. c) the password is changed and the user reauthenticated with their new credentials, to retrieve their full set of roles. It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. Our thinking is that we can resolve the inability to reauthenticate by creating a custom Authenticator; we could set some flag in the session to perform on-demand reauthentication, which would repopulate the list of roles, and everything would be hunky dory. Is this approach reasonable? How have other people tackled similar requirements? Is there any less contrived way of achieving what we want with the minimum of Tomcat-specific code? Peter *** The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. ***
RE: Form Based Authentication
-Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: 11 October 2005 17:18 To: Tomcat Users List Subject: RE: Form Based Authentication From: Peter Bright [mailto:[EMAIL PROTECTED] Subject: Form Based Authentication It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. What happens if you just invalidate the existing session? The user gets logged out. *** The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
-Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: 11 October 2005 17:23 To: Tomcat Users List Subject: RE: Form Based Authentication From: Peter Bright [mailto:[EMAIL PROTECTED] Subject: RE: Form Based Authentication It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. What happens if you just invalidate the existing session? The user gets logged out. Exactly - and they then must reauthenticate with the updated password. Isn't that what you want? No, sorry, it was unclear. I want them to be reauthenticat/ed/ with the new credentials /automatically/. Without making them have to reauthenticate /by hand/. *** The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]