You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Stephen More <st...@gmail.com> on 2007/08/21 20:22:26 UTC
JDBCRealm + Expired Passwords
Has anyone written or know of a JDBCRealm that supports an expired password ?
-Thanks
Steve More
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBCRealm + Expired Passwords
Posted by Peter Stavrinides <p....@albourne.com>.
>I just find it hard to believe that there is no open-source
>project/library to mange users that includes the above functionality.
Web server logins are dismal across the board, but its so easy to write
a filter so I think nobody bothered.
Peter
Stephen More wrote:
> On 8/22/07, Christopher Schultz <ch...@..........net> wrote:
>
>> 1. Checks to see if the Session exists and has a Principal.
>> 2. Checks to see if the Session contains my "User" object.
>> If not, it loads the User object and performs the "real" login
>> (as opposed to the basic authentication provided by the container).
>> 3. Checks to see what the user's "status" is.
>> If the user is in the "must change password" state, I send them
>> to the "change password" screen.
>>
>
> Using the default tomcat realms I see 2 possibilities:
>
> 1. use the JDBCRealm and create a SQL view for user_roles. If the user
> has an expired password, then a role called "expiredPassword" should
> exist as a row in this view.
>
> 2. use the JAASRealm, if the password is expired add the role "expiredPassword".
>
> Both of these would require a Filter that checks for the existence of
> the role "expiredPassword" and redirect as needed.
>
> I just find it hard to believe that there is no open-source
> project/library to mange users that includes the above functionality.
>
> -Steve
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBCRealm + Expired Passwords
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen,
Stephen More wrote:
> Both of these would require a Filter that checks for the existence of
> the role "expiredPassword" and redirect as needed.
Yes. That's why I did it myself all in a single filter (including
loading the user's state, rather than adding an essentially useless role
called "expired-password").
> I just find it hard to believe that there is no open-source
> project/library to mange users that includes the above functionality.
Long ago, I had that thought, too. I resolved to create one
user-management package to rule them all, but as I worked with more and
more applications, I found that the requirements for each application
were often so different that the resulting uber-package would just be a
tiny framework with hundreds of little plug-ins that would make it
un-manageable.
Just my two cents.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGzZjw9CaO5/Lv0PARAuLEAKC343a5QCuq0RXLVuOJj4B8HS8ERwCghGJm
rm5vzKWEf34XgJaGsw7RuRs=
=p09S
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBCRealm + Expired Passwords
Posted by Stephen More <st...@gmail.com>.
On 8/22/07, Christopher Schultz <ch...@..........net> wrote:
> 1. Checks to see if the Session exists and has a Principal.
> 2. Checks to see if the Session contains my "User" object.
> If not, it loads the User object and performs the "real" login
> (as opposed to the basic authentication provided by the container).
> 3. Checks to see what the user's "status" is.
> If the user is in the "must change password" state, I send them
> to the "change password" screen.
Using the default tomcat realms I see 2 possibilities:
1. use the JDBCRealm and create a SQL view for user_roles. If the user
has an expired password, then a role called "expiredPassword" should
exist as a row in this view.
2. use the JAASRealm, if the password is expired add the role "expiredPassword".
Both of these would require a Filter that checks for the existence of
the role "expiredPassword" and redirect as needed.
I just find it hard to believe that there is no open-source
project/library to mange users that includes the above functionality.
-Steve
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBCRealm + Expired Passwords
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen,
Stephen More wrote:
> On 8/21/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
>> Stephen More wrote:
>>> Has anyone written or know of a JDBCRealm that supports an expired password ?
>> Do you mean that you want expired-password-users to be forced to change
>> their password before doing anything else?
>
> Yes, this is exactly what I am looking for: "I want
> expired-password-users to be forced to change their password before
> doing anything else."
>
> Does such a Realm/project exist ?
I have done something like this using a (relatively) simply filter. It
does several things:
1. Checks to see if the Session exists and has a Principal.
2. Checks to see if the Session contains my "User" object.
If not, it loads the User object and performs the "real" login
(as opposed to the basic authentication provided by the container).
3. Checks to see what the user's "status" is.
If the user is in the "must change password" state, I send them
to the "change password" screen.
There are also checks to allow certain pages (like help pages) to be
accessed even when the password has not been successfully changed, and,
obviously, checks to make sure that we don't get into an endless loop
attempting to serve the "change password" page.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGzEyY9CaO5/Lv0PARAkyjAJ9HXS2JQQs6a+GCwKe1rkSrTSCIcgCgoGPp
ACehLf2N35uzIEksKkONCVc=
=dKpH
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBCRealm + Expired Passwords
Posted by Stephen More <st...@gmail.com>.
On 8/21/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
> Stephen More wrote:
> > Has anyone written or know of a JDBCRealm that supports an expired password ?
>
> Do you mean that you want expired-password-users to be forced to change
> their password before doing anything else?
Yes, this is exactly what I am looking for: "I want
expired-password-users to be forced to change their password before
doing anything else."
Does such a Realm/project exist ?
-Steve More
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBCRealm + Expired Passwords
Posted by Peter Stavrinides <p....@albourne.com>.
Hi Steven
You are limited as to what logic the realm performs automatically,
checking for expired passwords requires some manual work on your side.
You might want to look at implementing a JAASRealm, and your own login
module:
See the bottom of this page:
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JDBCRealm
And:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASLMDevGuide.html
For authentication you could duplicate the table structure in the
JDBCRealm example, but add columns or another table to store a timestamp
for when the user last changed/created their password.
Then In your login module compare that field to the current time. If the
login is valid but fails because of expiry, then redirect to a change
password page, otherwise authenticate or deny accordingly.
Kind regards
Peter
Stephen More wrote:
> In looking at the docs:
> http://tomcat.apache.org/tomcat-5.5-doc/config/realm.html
> there is no Attribute for "userCredExpireCol". How do I configure the
> JDBCRealm to look at an expiration column ?
>
>
> -Steve
>
> On 8/22/07, Peter Stavrinides <p....@.......com> wrote:
>
>> I also didn't understand exactly what you mean, but 'JDBCRealm'... implies using a database, so the simple way is to redirect and use a web form to change it, which is easy enough. If you don't want to use a web form then its an entirely different story, I assume some sort of extension or customization to Tomcat is required.
>>
>> Peter
>>
>> Christopher Schultz wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Stephen,
>>>
>>> Stephen More wrote:
>>>
>>>
>>>> Has anyone written or know of a JDBCRealm that supports an expired password ?
>>>>
>>>>
>>> Can you phrase that in a different way? I wouldn't want my JDBCRealm to
>>> allow expired passwords to be used.
>>>
>>> Do you mean that you want expired-password-users to be forced to change
>>> their password before doing anything else?
>>>
>>> - -chris
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.7 (MingW32)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>>
>>> iD8DBQFGyzw79CaO5/Lv0PARAmHNAKClt64b23+I7sH00qjLDGffNkbY/wCgniR1
>>> 99vbSIqBOgDuLkLX7D8V4ys=
>>> =QI3O
>>> -----END PGP SIGNATURE-----
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: JDBCRealm + Expired Passwords
Posted by Stephen More <st...@gmail.com>.
In looking at the docs:
http://tomcat.apache.org/tomcat-5.5-doc/config/realm.html
there is no Attribute for "userCredExpireCol". How do I configure the
JDBCRealm to look at an expiration column ?
-Steve
On 8/22/07, Peter Stavrinides <p....@.......com> wrote:
> I also didn't understand exactly what you mean, but 'JDBCRealm'... implies using a database, so the simple way is to redirect and use a web form to change it, which is easy enough. If you don't want to use a web form then its an entirely different story, I assume some sort of extension or customization to Tomcat is required.
>
> Peter
>
> Christopher Schultz wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Stephen,
> >
> > Stephen More wrote:
> >
> >> Has anyone written or know of a JDBCRealm that supports an expired password ?
> >>
> >
> > Can you phrase that in a different way? I wouldn't want my JDBCRealm to
> > allow expired passwords to be used.
> >
> > Do you mean that you want expired-password-users to be forced to change
> > their password before doing anything else?
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.7 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFGyzw79CaO5/Lv0PARAmHNAKClt64b23+I7sH00qjLDGffNkbY/wCgniR1
> > 99vbSIqBOgDuLkLX7D8V4ys=
> > =QI3O
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBCRealm + Expired Passwords
Posted by Peter Stavrinides <p....@albourne.com>.
I also didn't understand exactly what you mean, but 'JDBCRealm'... implies using a database, so the simple way is to redirect and use a web form to change it, which is easy enough. If you don't want to use a web form then its an entirely different story, I assume some sort of extension or customization to Tomcat is required.
Peter
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Stephen,
>
> Stephen More wrote:
>
>> Has anyone written or know of a JDBCRealm that supports an expired password ?
>>
>
> Can you phrase that in a different way? I wouldn't want my JDBCRealm to
> allow expired passwords to be used.
>
> Do you mean that you want expired-password-users to be forced to change
> their password before doing anything else?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGyzw79CaO5/Lv0PARAmHNAKClt64b23+I7sH00qjLDGffNkbY/wCgniR1
> 99vbSIqBOgDuLkLX7D8V4ys=
> =QI3O
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JDBCRealm + Expired Passwords
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen,
Stephen More wrote:
> Has anyone written or know of a JDBCRealm that supports an expired password ?
Can you phrase that in a different way? I wouldn't want my JDBCRealm to
allow expired passwords to be used.
Do you mean that you want expired-password-users to be forced to change
their password before doing anything else?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGyzw79CaO5/Lv0PARAmHNAKClt64b23+I7sH00qjLDGffNkbY/wCgniR1
99vbSIqBOgDuLkLX7D8V4ys=
=QI3O
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org