Hi Ken, User store manager doesn't have any control to do redirection such as password change page. User store manager take care of user operations such as create/update/authenticate etc. in your scenario its authenticate. Yes. doAuthenticate is the correct function to override. For overcome your use-case, you can write a custom authenticator which has full control in the authentication flow and you can do required redirection there. Pleas follow post [1] how to create custom user store and configure.
[1] http://xacmlinfo.org/2015/10/15/custom-authenticator-for-wso2-identity-server-wso2is-sso-login/ Thanks Godwin On Fri, Oct 28, 2016 at 7:15 PM, Ken McDonald <[email protected]> wrote: > Hi everyone. > > > > I am looking to create a custom user store for Active Directory that uses > the User Account Control field to reflect whether a user is requiring a > password change based on an expired password. I was also looking to > implement the “force change password on first login” here as well. > > > > I had initially looked into implementing this by changing/extending the > following: > > https://docs.wso2.com/display/ISCONNECTORS/Configuring+ > Password+Policy+Authenticator > > > > but due to the fact that in order to even get passed the initial step to > even invoke this code, the user must bind from the initial active directory > user store from the main plugin, this will not work with proper Active > Directory controls. When a user tries to bind when their > UserAccountControl states their password is expired, it will throw an > exception. > > > > My main question here is: > > Is there a way to throw a custom exception from my new user store > implementation and catch it and direct the user to a different page (jsp or > context view) that I could then present the change password view to them. > Or is there ability to direct within the code to a different page somehow > driven from the User Store code? > > > > Essentially my User Store code will override the doAuthenticate (I believe > this is the function) and if the user bind fails due to (but not with a bad > credentials exception), I will query the ldap entry and check the User > Account Control field, and if it has the flag set for expired password, I > would like to direct the user to a page asking for current password, and > new password (twice), much like the ISCONNECTOR code referenced above. > > > > Any assistance pointing me in the right direction as to how this might be > possible would be appreciated (or simply telling me it’s not possible). > > > > Thanks > > > > Ken McDonald | Security Consultant| Symcor Inc. > > 400-1 Robert Speck Parkway, Mississauga, Ontario, L4Z 4E7 > > Office: 905.273.1306 | Cell: 647.888.6548 > > > > CONFIDENTIALITY WARNING > This communication, including any attachments, is for the exclusive use of > addressee and may contain proprietary and/or confidential information. If > you are not the intended recipient, any use, copying, disclosure, > dissemination or distribution is strictly prohibited. If you are not the > intended recipient, please notify the sender immediately by return e-mail, > delete this communication and destroy all copies. > > * Symcor 1 Robert Speck Parkway, Suite 400, Mississauga, Ontario, Canada > L4Z 4E7 **www.symcor.com* <http://www.symcor.com/>* To unsubscribe from > receiving promotional messages from Symcor, email “unsubscribe” to * > *[email protected]* <[email protected]>* You will continue to receive > regular business communications from Symcor.* > > AVERTISSEMENT RELATIF À LA CONFIDENTIALITÉ > Ce message, ainsi que les pièces qui y sont jointes, est destiné à l’usage > exclusif de la personne à laquelle il s’adresse et peut contenir de > l’information personnelle ou confidentielle. Si le lecteur de ce message > n’en est pas le destinataire, nous l’avisons par la présente que toute > diffusion, distribution, reproduction ou utilisation de son contenu est > strictement interdite. Veuillez avertir sur-le-champ l’expéditeur par > retour de courrier électronique et supprimez ce message ainsi que toutes > les pièces jointes. > > * Symcor, 1 Robert Speck Parkway, bureau 400, Mississauga, Ontario, Canada > L4Z 4E7 **www.symcor.com* <http://www.symcor.com/>* – Pour cesser de > recevoir les messages promotionnels de Symcor, veuillez envoyer un courriel > portant la mention « Désinscription » à **[email protected]* > <[email protected]>*. Vous continuerez de recevoir les messages > d’affaires courants de Symcor.* > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Godwin Amila Shrimal* Senior Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware mobile: *+94772264165* linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>* twitter: https://twitter.com/godwinamila <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
