Re: JDBCRealm + Expired Passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen, Stephen More wrote: > Both of these would require a Filter that checks for the existence of > the role "expiredPassword" and redirect as needed. Yes. That's why I did it myself all in a single filter (including loading the user's state, rather than adding an essentially useless role called "expired-password"). > I just find it hard to believe that there is no open-source > project/library to mange users that includes the above functionality. Long ago, I had that thought, too. I resolved to create one user-management package to rule them all, but as I worked with more and more applications, I found that the requirements for each application were often so different that the resulting uber-package would just be a tiny framework with hundreds of little plug-ins that would make it un-manageable. Just my two cents. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGzZjw9CaO5/Lv0PARAuLEAKC343a5QCuq0RXLVuOJj4B8HS8ERwCghGJm rm5vzKWEf34XgJaGsw7RuRs= =p09S -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm + Expired Passwords
I just find it hard to believe that there is no open-source project/library to mange users that includes the above functionality. Web server logins are dismal across the board, but its so easy to write a filter so I think nobody bothered. Peter Stephen More wrote: On 8/22/07, Christopher Schultz <[EMAIL PROTECTED]> wrote: 1. Checks to see if the Session exists and has a Principal. 2. Checks to see if the Session contains my "User" object. If not, it loads the User object and performs the "real" login (as opposed to the basic authentication provided by the container). 3. Checks to see what the user's "status" is. If the user is in the "must change password" state, I send them to the "change password" screen. Using the default tomcat realms I see 2 possibilities: 1. use the JDBCRealm and create a SQL view for user_roles. If the user has an expired password, then a role called "expiredPassword" should exist as a row in this view. 2. use the JAASRealm, if the password is expired add the role "expiredPassword". Both of these would require a Filter that checks for the existence of the role "expiredPassword" and redirect as needed. I just find it hard to believe that there is no open-source project/library to mange users that includes the above functionality. -Steve - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm + Expired Passwords
On 8/22/07, Christopher Schultz <[EMAIL PROTECTED]> wrote: > 1. Checks to see if the Session exists and has a Principal. > 2. Checks to see if the Session contains my "User" object. >If not, it loads the User object and performs the "real" login >(as opposed to the basic authentication provided by the container). > 3. Checks to see what the user's "status" is. >If the user is in the "must change password" state, I send them >to the "change password" screen. Using the default tomcat realms I see 2 possibilities: 1. use the JDBCRealm and create a SQL view for user_roles. If the user has an expired password, then a role called "expiredPassword" should exist as a row in this view. 2. use the JAASRealm, if the password is expired add the role "expiredPassword". Both of these would require a Filter that checks for the existence of the role "expiredPassword" and redirect as needed. I just find it hard to believe that there is no open-source project/library to mange users that includes the above functionality. -Steve - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm + Expired Passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen, Stephen More wrote: > On 8/21/07, Christopher Schultz <[EMAIL PROTECTED]> wrote: >> Stephen More wrote: >>> Has anyone written or know of a JDBCRealm that supports an expired password >>> ? >> Do you mean that you want expired-password-users to be forced to change >> their password before doing anything else? > > Yes, this is exactly what I am looking for: "I want > expired-password-users to be forced to change their password before > doing anything else." > > Does such a Realm/project exist ? I have done something like this using a (relatively) simply filter. It does several things: 1. Checks to see if the Session exists and has a Principal. 2. Checks to see if the Session contains my "User" object. If not, it loads the User object and performs the "real" login (as opposed to the basic authentication provided by the container). 3. Checks to see what the user's "status" is. If the user is in the "must change password" state, I send them to the "change password" screen. There are also checks to allow certain pages (like help pages) to be accessed even when the password has not been successfully changed, and, obviously, checks to make sure that we don't get into an endless loop attempting to serve the "change password" page. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGzEyY9CaO5/Lv0PARAkyjAJ9HXS2JQQs6a+GCwKe1rkSrTSCIcgCgoGPp ACehLf2N35uzIEksKkONCVc= =dKpH -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm + Expired Passwords
Hi Steven You are limited as to what logic the realm performs automatically, checking for expired passwords requires some manual work on your side. You might want to look at implementing a JAASRealm, and your own login module: See the bottom of this page: http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JDBCRealm And: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASLMDevGuide.html For authentication you could duplicate the table structure in the JDBCRealm example, but add columns or another table to store a timestamp for when the user last changed/created their password. Then In your login module compare that field to the current time. If the login is valid but fails because of expiry, then redirect to a change password page, otherwise authenticate or deny accordingly. Kind regards Peter Stephen More wrote: In looking at the docs: http://tomcat.apache.org/tomcat-5.5-doc/config/realm.html there is no Attribute for "userCredExpireCol". How do I configure the JDBCRealm to look at an expiration column ? -Steve On 8/22/07, Peter Stavrinides <[EMAIL PROTECTED]> wrote: I also didn't understand exactly what you mean, but 'JDBCRealm'... implies using a database, so the simple way is to redirect and use a web form to change it, which is easy enough. If you don't want to use a web form then its an entirely different story, I assume some sort of extension or customization to Tomcat is required. Peter Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen, Stephen More wrote: Has anyone written or know of a JDBCRealm that supports an expired password ? Can you phrase that in a different way? I wouldn't want my JDBCRealm to allow expired passwords to be used. Do you mean that you want expired-password-users to be forced to change their password before doing anything else? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGyzw79CaO5/Lv0PARAmHNAKClt64b23+I7sH00qjLDGffNkbY/wCgniR1 99vbSIqBOgDuLkLX7D8V4ys= =QI3O -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm + Expired Passwords
In looking at the docs: http://tomcat.apache.org/tomcat-5.5-doc/config/realm.html there is no Attribute for "userCredExpireCol". How do I configure the JDBCRealm to look at an expiration column ? -Steve On 8/22/07, Peter Stavrinides <[EMAIL PROTECTED]> wrote: > I also didn't understand exactly what you mean, but 'JDBCRealm'... implies > using a database, so the simple way is to redirect and use a web form to > change it, which is easy enough. If you don't want to use a web form then its > an entirely different story, I assume some sort of extension or customization > to Tomcat is required. > > Peter > > Christopher Schultz wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Stephen, > > > > Stephen More wrote: > > > >> Has anyone written or know of a JDBCRealm that supports an expired > >> password ? > >> > > > > Can you phrase that in a different way? I wouldn't want my JDBCRealm to > > allow expired passwords to be used. > > > > Do you mean that you want expired-password-users to be forced to change > > their password before doing anything else? > > > > - -chris > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v1.4.7 (MingW32) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > iD8DBQFGyzw79CaO5/Lv0PARAmHNAKClt64b23+I7sH00qjLDGffNkbY/wCgniR1 > > 99vbSIqBOgDuLkLX7D8V4ys= > > =QI3O > > -END PGP SIGNATURE- > > > > - > > To start a new topic, e-mail: users@tomcat.apache.org > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm + Expired Passwords
I also didn't understand exactly what you mean, but 'JDBCRealm'... implies using a database, so the simple way is to redirect and use a web form to change it, which is easy enough. If you don't want to use a web form then its an entirely different story, I assume some sort of extension or customization to Tomcat is required. Peter Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen, Stephen More wrote: Has anyone written or know of a JDBCRealm that supports an expired password ? Can you phrase that in a different way? I wouldn't want my JDBCRealm to allow expired passwords to be used. Do you mean that you want expired-password-users to be forced to change their password before doing anything else? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGyzw79CaO5/Lv0PARAmHNAKClt64b23+I7sH00qjLDGffNkbY/wCgniR1 99vbSIqBOgDuLkLX7D8V4ys= =QI3O -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm + Expired Passwords
On 8/21/07, Christopher Schultz <[EMAIL PROTECTED]> wrote: > Stephen More wrote: > > Has anyone written or know of a JDBCRealm that supports an expired password > > ? > > Do you mean that you want expired-password-users to be forced to change > their password before doing anything else? Yes, this is exactly what I am looking for: "I want expired-password-users to be forced to change their password before doing anything else." Does such a Realm/project exist ? -Steve More - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm + Expired Passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen, Stephen More wrote: > Has anyone written or know of a JDBCRealm that supports an expired password ? Can you phrase that in a different way? I wouldn't want my JDBCRealm to allow expired passwords to be used. Do you mean that you want expired-password-users to be forced to change their password before doing anything else? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGyzw79CaO5/Lv0PARAmHNAKClt64b23+I7sH00qjLDGffNkbY/wCgniR1 99vbSIqBOgDuLkLX7D8V4ys= =QI3O -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JDBCRealm + Expired Passwords
Has anyone written or know of a JDBCRealm that supports an expired password ? -Thanks Steve More - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]