Change Password interim step

**markstgodard** · Jun 20th, 2005, 09:38 PM

Hi All,

I am using 0.8.2 and I am encountering two (somewhat common) requirements.

- updating failed logon attempts for a User
- change password step during the logon process

The first requirement.. of updating the users failed logon attempts is working.. I simply tied into the the AuthenticationFailureEvents that are published (i.e. ApplicationListener).. so that is fine.

The 2nd requirement, I want to force a user to change their password (i.e. if it expires... or if they are a new user)

Right now, I have a User table and a "change password" indicator... so I mapped that boolean to the "credentials expired" attribute on the UserDetails.
This will then throw a CredentialsExpiredException and I can map that exception in the processing filter to a specific page... however, I am wondering how other ppl have approached this requirement?

Right now, it goes to a change password page.. however its not integrated with the j_security_check acegi logon... which I want.

Basically, I want to force a user to change their password... when they logon... ideally this would be an integrated process..

i.e. a logon with change password

Has anyone else implemented something similar?

Cheers

**tjbrosnan** · Jun 24th, 2005, 09:53 AM

I too would be interested to know how people have approached a similar problem

**Ben Alex** · Jun 25th, 2005, 06:46 PM

You would need to subclass AuthenticationProcessingFilter to provide this custom functionality after a successful login.

If you code something that is reusable, please feel free to post it to JIRA and I will see if we can include it in CVS.

**markstgodard** · Jul 11th, 2005, 10:13 PM

Hi Ben,

Instead of subclassing AuthenticationProcessingFilter, I ended up creating a ChangePasswordFilter and added it to the chain. It seemed to be a more pluggable, modular way to enforce the redirection to the change password page.

I did a cut of an AuthenticationProcessingFilter and I could get it to redirect to the change password page, however if I then just changed the URL and went to the main page, it would let me. I wanted it to "force" then to change their password, so I created a Change Password Filter, it also required some slight custom config ... i.e. need to specify the change password page... as well as the change password submission page....
or you end up in infinite loops

....

Anyway all in all, worked out to be a clean solution in my case.

Cheers

**Ben Alex** · Jul 13th, 2005, 01:33 AM

Originally Posted by markstgodard

Anyway all in all, worked out to be a clean solution in my case.

Great it got working for you Mark. It's a common requirement so thanks for sharing your approach.

**Martin-Schulz** · Jul 19th, 2005, 02:59 AM

Hi Mark, great work!

Please, can you post your ChangePasswordFilter in JIRA? I have the same Problem and can´t fix it because I´m still a big noob in Spring and Acegi. :wink:

Thx, with best regards,
Martin

Thread: Change Password interim step

Thread Tools

Display

Change Password interim step

Similar Threads

how to change password without logging out

change password with dao not being refreshed

Forgot password (e.g. secret question) using Acegi

Binding a password and confirmPassword field

Change password

Posting Permissions