Change password

[jivesociety]

I have a problem in an application that is using Acegi for authentication. I have a Spring controller that allows the user to change their password in the database. When the password has been changed, the user keeps getting redirected back to the login page because I think the credentials they have in memory are different than what's in the database.

What are we suppose to do with respect with Acegi after a process of changing a password to fix this situation?

[Ben Alex]

That shouldn't happen as DaoAuthenticationProvider will go back to the authentication repository to lookup the latest password if it does not match. Is your AuthenticationDao returning the updated password (try logging it in your AuthenticationDao)? Are you using the latest version of DaoAuthenticationProvider (from release 0.6.1)?

[jivesociety]

Ben,

Maybe I'm a bit confused on how exactly how to use the security framework. Is there already a module in Acegi decicated to changing a password for a database repository? If not, what is the best way to implement it for a web application.

I have it right now as a Spring MVC controller that handles that request and calls a business manager/service class I wrote that changes the password in the database. But, I'm trying to figure out how to tell the Acegi Security System that such an event (change password) has occurred and have the Authentication object that is in the HttpSession be updated with the new password.

[Ben Alex]

There is no out-of-the-box approach to changing passwords. Your approach sounds fine. I think your problem is with caching. Are you using the NullUserCache or EhCacheBasedUserCache? Is your AuthenticationDao fronting an ORM layer that is caching? Did you try logging what the AuthenticationDao is retrieving from the database, to ensure it is even giving Acegi Security the new (changed) password for comparison purposes?

[jivesociety]

I am using the NullUserCache for now and I'm using Hibernate as ORM layer and have a class that implements the AuthenticationDao interface.

I am still having no luck with resetting the username/credential of the user in memory after changing the password.

What I am doing is after my Controller (I am using the Spring MVC framework) handles the change password request by delegating the work to a service class which updates the user's password in the database. I create a new UsernamePasswordAuthenticationToken in the session under the key HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHEN TICATION_KEY with the new password and keep the username, details and permissions. But, when the controller forwards to the next page, the user's credentials are still showing the old password.

Sorry for the many questions or if this is a very trivial question that I should understand right away, but I cannot figure out what I am doing wrong exactly.

Do you any suggestions?

Thanks,
-ray

[jivesociety]

I figured out my problem. Not only did i have to change the Authentication object in the Session but I also had to update the SecureContext.

Thanks for all the help though.

[Ben Alex]

Just double-check you really need to edit the HttpSession.

The AbstractIntegrationFilter is responsible for updating the HttpSession with the contents of the ContextHolder at the end of each request. Also, whenever you're needing access to the Authentication you should be obtaining it from the ContextHolder. As such the fact the HttpSession is being used to store the Authentication should be transparent to your application - just update the ContextHolder.