You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Stefan Frei <st...@gmail.com> on 2013/09/16 20:02:53 UTC
use password expiration with datasource realm
Hello there
Tomcat 7.0.42
Windows 7 64 bit
Im searching for a solution here cause i didnt find anything on the
internet about it.
First i describe the current config:
We use a datasource realm to authenticate users with sha encrypted
passwords.
Everything works well with this solution(expect we do not use a salt for
sha at the moment, but i can implement by myself i guess).
The problem:
The user should have a password which should change after a time (eg one
month).
So how do i intercept a login request after j_security_check which
redirects the user to a „change your password“ page before redirecting him
(as it usually would be), to the url he requested initially (of course this
should only happen when users password has expired)?
Ist there a solution out of the box, and if not which classes should i
investigate to impement a custom solution ?
Best regards
Stefan Frei
Re: use password expiration with datasource realm
Posted by Neven Cvetkovic <ne...@gmail.com>.
On Sep 16, 2013 10:15 PM, "Stefan Frei" <st...@gmail.com> wrote:
>
> Hello Neven
> Thanks for your reply.
> I didnt find anything about security filter in the tomcat docs, is this a
> common filter.
> important would be that the filter triggers only when users perform a
> j_security check, and not on every request.
>
> should i use <filter-mapping>/j_security_check</filter-mapping> ?
>
Stefan I am afraid that would not work. You could maybe add it as part of
the security filter or just make a filter apply to your LoginServlet.
On Sep 16, 2013 10:15 PM, "Stefan Frei" <st...@gmail.com> wrote:
> Hello Neven
> Thanks for your reply.
> I didnt find anything about security filter in the tomcat docs, is this a
> common filter.
> important would be that the filter triggers only when users perform a
> j_security check, and not on every request.
>
> should i use <filter-mapping>/j_security_check</filter-mapping> ?
>
> Cheers Stefan
>
>
> 2013/9/16 Neven Cvetkovic <ne...@gmail.com>
>
> > > The problem:
> > >
> > >
> > >
> > > The user should have a password which should change after a time (eg
> one
> > > month).
> > >
> > > So how do i intercept a login request after j_security_check which
> > > redirects the user to a „change your password“ page before redirecting
> > him
> > > (as it usually would be), to the url he requested initially (of course
> > this
> > > should only happen when users password has expired)?
> > >
> > >
> > >
> > > Ist there a solution out of the box, and if not which classes should i
> > > investigate to impement a custom solution ?
> > >
> >
> > Stefan, I am not sure there exist such an out of box solution.
> >
> > I would probably rewrite a security filter and check for the "freshness"
> > of the password ... (have a timestamp attribute in database that stores
> > time when password was updated last)
> >
> > Great things about filters you can easily stack them, turn them on or off
> > ... and essentially separate the security (auditing, logging, etc..)
> > concerns...
> >
>
Re: use password expiration with datasource realm
Posted by Stefan Frei <st...@gmail.com>.
Hello Neven
Thanks for your reply.
I didnt find anything about security filter in the tomcat docs, is this a
common filter.
important would be that the filter triggers only when users perform a
j_security check, and not on every request.
should i use <filter-mapping>/j_security_check</filter-mapping> ?
Cheers Stefan
2013/9/16 Neven Cvetkovic <ne...@gmail.com>
> > The problem:
> >
> >
> >
> > The user should have a password which should change after a time (eg one
> > month).
> >
> > So how do i intercept a login request after j_security_check which
> > redirects the user to a „change your password“ page before redirecting
> him
> > (as it usually would be), to the url he requested initially (of course
> this
> > should only happen when users password has expired)?
> >
> >
> >
> > Ist there a solution out of the box, and if not which classes should i
> > investigate to impement a custom solution ?
> >
>
> Stefan, I am not sure there exist such an out of box solution.
>
> I would probably rewrite a security filter and check for the "freshness"
> of the password ... (have a timestamp attribute in database that stores
> time when password was updated last)
>
> Great things about filters you can easily stack them, turn them on or off
> ... and essentially separate the security (auditing, logging, etc..)
> concerns...
>
Re: use password expiration with datasource realm
Posted by Neven Cvetkovic <ne...@gmail.com>.
> The problem:
>
>
>
> The user should have a password which should change after a time (eg one
> month).
>
> So how do i intercept a login request after j_security_check which
> redirects the user to a „change your password“ page before redirecting him
> (as it usually would be), to the url he requested initially (of course
this
> should only happen when users password has expired)?
>
>
>
> Ist there a solution out of the box, and if not which classes should i
> investigate to impement a custom solution ?
>
Stefan, I am not sure there exist such an out of box solution.
I would probably rewrite a security filter and check for the "freshness"
of the password ... (have a timestamp attribute in database that stores
time when password was updated last)
Great things about filters you can easily stack them, turn them on or off
... and essentially separate the security (auditing, logging, etc..)
concerns...
Re: use password expiration with datasource realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Stefan,
On 9/16/13 2:02 PM, Stefan Frei wrote:
> The user should have a password which should change after a time
> (eg one month).
>
> So how do i intercept a login request after j_security_check which
> redirects the user to a „change your password“ page before
> redirecting him (as it usually would be), to the url he requested
> initially (of course this should only happen when users password
> has expired)?
We do this with a Filter. The container provides the authentication,
but then we intercept the request to check for a "user" object in the
session. If it's not there, we load it from the db, do all our checks,
and redirect as appropriate.
You don't need to do anything other than implement your own Filter
class that does what you need, then register it with the container
(usually via web.xml, but lots of folks like annotation-based
configuration these days for some reason).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSN0kyAAoJEBzwKT+lPKRYIM4QAI/rlY2Pxhx1rYopqNmEr48c
fKzt38Gl1NOfg5q9cDlG3gMQnH3fuR81vjd+75ILv8jROaakbmEWpa3RsP1f0s/b
D6cagsLRkSVdrxLT56WhBKP0lWzRdZaXQBu8gux606ec0qqRlK9g/E9FQDFrbk3U
B0newfzS3XRCjKBqmYtNStY4tI4NPJpYYg75iAVMNgQDyUbFq8mPT/Z7RtBYyyN3
q6asyzCr82aoUrl2kiSCR6I8+LTdfntUYBT5/hi1v/qL1ofVs/kw0YTWfJVieBU6
bv6LHWCb23M/LLYhg+YvalydioGBrPBccDbB2keGXezihbzQfRmJWntuXklXQjSe
NZlMg+yHnE1mpm68YGatjbiC0IrHrFJeTcjncu/k6voKHDriuUq35vYNS19LEldX
E2ZfiM/IGpPHDZkTi5XQZhbsocHJ7Nalaye3QxCKznwrcKr/Ei2jbxM//C2ixuaU
V8/ZMaD6SoRi/CfkyviddOtTdNagk3Rcr+29ldjOCmU+IJkMQKDSxLVsIuT3PQTy
4kQo9wQ3pNbqllziah2CjT+VDBTV0MnMmBnxk/qtJUHOSaIvyJpxST+W72vSyGF6
vboTTqkz1GsYj7blyRQitdUh/jS51w+93ZR2zPq8NPtI0avWUgKDKCLfR+Q7EyQw
lYZNpBmYVuo59oEBtupQ
=j40b
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org