how to change password without logging out

[pasha]

hi,

when my application users change their password, they should relogin again!

I get current user from SecurityContext change the password in the UserDetail object and persist it using Hibernate, but at this point the user is logged out and should relogin with new password,

how should I solve this problem?

I'm using Acegi 0.7.

[george]

Code:

net.sf.acegisecurity.context.ContextHolder.setContext(null);

and direct the user to a secured page to trigger authentication.

[plethora]

I'd like to keep my users logged-in after a password change.

Currently, I update the user by using a Hibernate DAO.
I also update the current Acegi user:

Code:

((User) auth.getPrincipal()).setPassword(newPassword);

However, after this step, my users are presented are redirected to a login page ("Authentication failed due to incorrect password for user: ...").

What's the correct way to handle this scenario.

[pasha]

I'd like to keep my users logged-in after a password change.

Currently, I update the user by using a Hibernate DAO.
I also update the current Acegi user:

Code:

((User) auth.getPrincipal()).setPassword(newPassword);

However, after this step, my users are presented are redirected to a login page ("Authentication failed due to incorrect password for user: ...").

What's the correct way to handle this scenario.

just the same problem I have.

[Luke Taylor]

The DAOAuthenticationProvider makes use of a cache to avoid having to go to the database on each request. So it isn't enough to change the password in the database, you have to remove the cached user info too, otherwise the provider will make the comparison of your new against this stale version and find they don't match.

I think this is likely to be causing your problem.

The UserCache interface has a method to allow you to remove a user:

http://acegisecurity.sourceforge.net...UserCache.html

[plethora]

Using the following solved my problem:

Code:

        final SecureContextImpl newContext = new SecureContextImpl();
        newContext.setAuthentication(new UsernamePasswordAuthenticationToken(username, newPassword));
        ContextHolder.setContext(newContext);

[george]

As an aside: I think another implication of password change is the impact on RememberMe. RememberMe encrypts the username and password in a cookie. The next time you login it will query the database to make sure the password still matches the username. Since the password in the database has changed, the rememberMe doesn't kick in and the user is forced to authenticate. A crafty solution would be to rebuild the cookie with the new password when the user changes the password.

[plethora]

All this seems a lot of work for the most basic of functionalities - changing a users password.

Improved documentation on topics like these would be a welcome addition to the documentation.

[Ben Alex]

Please feel free to submit documentation improvements to JIRA and we will be pleased to apply them. Alternatively, write a blog/WWW article on them and we will be pleased to link them.

This topic (changing a user's password) is covered frequently in the forums and a quick search will show you the required steps.

[pasha]

I believe the thing about Remember Me is how it should be, a user may login on different computers using Remember Me option, so it is good to ask for password after changing it.