If the application know and pass the expiration time to the callback, it can do the warning in the application level.
If the application does not know the expiration time, I was wondering that the login context may also not know the time. Does kerberos define expiration fileds? I think, it is not clear to me about the benefits to do it in JDK level. Xuelei On 10/17/2012 1:44 PM, Weijun Wang wrote: > Ping again. > > On 08/17/2012 06:18 PM, Weijun Wang wrote: >> Hi All >> >> I am working with an OpenJDK contributor (Steve Beaty) recently on this >> feature. >> >> We often see messages like "Your password will expire in 5 days. Please >> update ASAP" when we login to a system, and we are seeing if we could >> also support this kind of alert in JAAS. >> >> We first starts with the Krb5LoginModule. In Kerberos, the KDC might >> send a LastReq field in response to a ticket request. Normally, the >> LastReq might contain: >> >> 1. The time the password will expire >> 2. The time the account will expire. >> >> (It might contain other things like the last request time from the same >> client, so the login module can show the user "Last login: Thu Aug 16 >> 19:44:55 2012". That's also how the field is named). >> >> Out current idea is to create a new kind of Callback, say, >> PasswordExpirationCallback for a login module, if a password/account >> expiration message is found in the LastReq field received, some >> user-defined method can be called. >> >> However, we cannot decide on what argument we should provide to this >> method. Certainly, just passing the LastReq field is not very good, >> since it's keberos-specific. Passing only the password expiration time? >> I'm not sure if the information is too little. >> >> Are you familiar with all other styles of password expiration warnings? >> What kind of message is generalized enough and also contains enough info? >> >> Any suggestion welcomed. >> >> Thanks >> Max
