Remember Me & CredentialsExpiredException

[aburgel]

Hi,

I use UserDetails.isCredentialsNonExpired(), which causes a CredentialsExpiredException, to force the user to change their passwords when they expire. I have a custom AuthenticationProcessingFilterEntryPoint that redirects to a special page so they can change their password.

This does not work with the default implementation of Remember Me because it doesn't call isCredentialsNonExpired after it authenticates the user.

I could write my own implementation of Remember Me that does this, but it seems to make more sense that there should be a common system that does these kinds of checks. So after any sort of authentication, it should check the UserDetails object for its various conditions and then redirect the user accordingly. That way each authentication ProcessingFilter won't have to handle this on its own. (say you use form, basic, and remember me, thats 3 authentication places where you have to know what to do if the user's credentials expired).

Any thoughts on this? Maybe all the ProcessingFilters should extend a base class that handle this stuff.

--Alex

[Ben Alex]

Any thoughts on this? Maybe all the ProcessingFilters should extend a base class that handle this stuff.

AbstractProcessingFilter is the shared authentication base. If a CredentialsExpiredException is thrown, it will redirect to the AbstractProcessingFilter.credentialsExpiredFailure Url. Would that mechanism allow you to catch expired passwords and force a password change? Recall AuthenticationException is available from the HttpSession attribute AbstractProcessingFilter.ACEGI_SECURITY_LAST_EXCEP TION_KEY and this in turn contains AuthenticationException.getAuthentication() (ie the Authentication that caused the exception). This would allow you to know who the user was, and populate the change password form. It would presumably post to a custom controller that can change the underlaying authentication repository's password, and then set the ContextHolder with the fully authenticated Authentication.

Just a thought...

[aburgel]

Hi,

Looks like some of this stuff is still in CVS, like AbstractProcessingFilter.credentialsExpiredFailure Url.

What would be useful for me is if RememberMeProcessingFilter also extended AbstractProcessingFilter. This is not in CVS yet... is there a plan to do this? That way it could have the same behavior if the user's credentials are expired.

--Alex

[Ben Alex]

What would be useful for me is if RememberMeProcessingFilter also extended AbstractProcessingFilter..... That way it could have the same behavior if the user's credentials are expired.

The trouble with this is AbstractProcessingFilter imposes some abstract methods that don't fit nicely in with the RememberMeProcessingFilter model. This is also the case with BASIC and Digest authentication processing filters.

The other issue is RememberMeServices don't usually through exceptions, such as CredentialsExpiredException. What I have done for you is add the folowing to TokenBasedRememberMeServices:

Code:

                        // Immediately reject if the user is not allowed to login
                        if (!userDetails.isAccountNonExpired()
                            || !userDetails.isCredentialsNonExpired()
                            || !userDetails.isEnabled()) {
                            cancelCookie(request, response,
                                "Cookie token[0] contained username '"
                                + cookieTokens[0]
                                + "' but account has expired, credentials have expired, or user is disabled");

                            return null;
                        }

Thus the expired credentials will cause the remembered token to be invalidated, and then the user will presumably attempt to login manually and be handled by the normal expired credentials process.