The application does not know it, but the KDC does. In this case, if a
user's password is about to expire and he logins to the KDC, the AS-REP
message will include a expiration warning (LastReq data). Currently we
have no way to expose this info to the application. But if we define a
new kind of Callback there is a way to do it.
So it works something like this:
LoginContext login = new LoginContext("c", new CallbackHandler() {
public void handle(Callback[] cbs) {
for (Callback cb: cbs) {
if (nameCB) cb.setName("dummy");
else if (passwordCB) cb.setPass("pAss");
else if (passExpirationCB) alert(cb.???());
}
}});
login.login();
We are just not sure what the cb.???() should look like.
Thanks
Max
On 10/17/2012 10:01 PM, Xuelei Fan wrote:
If the application know and pass the expiration time to the callback, it
can do the warning in the application level.
If the application does not know the expiration time, I was wondering
that the login context may also not know the time. Does kerberos define
expiration fileds?
I think, it is not clear to me about the benefits to do it in JDK level.
Xuelei
On 10/17/2012 1:44 PM, Weijun Wang wrote:
Ping again.
On 08/17/2012 06:18 PM, Weijun Wang wrote:
Hi All
I am working with an OpenJDK contributor (Steve Beaty) recently on this
feature.
We often see messages like "Your password will expire in 5 days. Please
update ASAP" when we login to a system, and we are seeing if we could
also support this kind of alert in JAAS.
We first starts with the Krb5LoginModule. In Kerberos, the KDC might
send a LastReq field in response to a ticket request. Normally, the
LastReq might contain:
1. The time the password will expire
2. The time the account will expire.
(It might contain other things like the last request time from the same
client, so the login module can show the user "Last login: Thu Aug 16
19:44:55 2012". That's also how the field is named).
Out current idea is to create a new kind of Callback, say,
PasswordExpirationCallback for a login module, if a password/account
expiration message is found in the LastReq field received, some
user-defined method can be called.
However, we cannot decide on what argument we should provide to this
method. Certainly, just passing the LastReq field is not very good,
since it's keberos-specific. Passing only the password expiration time?
I'm not sure if the information is too little.
Are you familiar with all other styles of password expiration warnings?
What kind of message is generalized enough and also contains enough info?
Any suggestion welcomed.
Thanks
Max
