We're currently using form-based authentication (i.e.
<auth-method>FORM</auth-method>) but, as I suspect many people have
found, it's rather limited.
One requirement we have is enforced password changes in certain
scenarios.  Currently the approach we were thinking of using is as
a) the realm recognizes that the user has a mandatory password change
flag set, and so gives them a degenerate set of roles; instead of their
true role, they just have a MUST_CHANGE_PASSWORD role.
b) a filter checks for the existance of this role, and if it's found,
forces the user to go to our change password page.
c) the password is changed and the user reauthenticated with their new
credentials, to retrieve their full set of roles.
It's point (c) that's proving problematic; there's no way to
reauthenticate that I can see.  Our thinking is that we can resolve the
inability to reauthenticate by creating a custom Authenticator; we could
set some flag in the session to perform on-demand reauthentication,
which would repopulate the list of roles, and everything would be hunky
Is this approach reasonable?  How have other people tackled similar
requirements?  Is there any less contrived way of achieving what we want
with the minimum of Tomcat-specific code?

The information contained in this electronic message may be confidential and/or 
privileged. Any unauthorized use, dissemination, distribution, or reproduction 
is strictly prohibited. If you have received this communication in error, 
please contact the sender by reply email and destroy all copies of the original 

Reply via email to