Announcement Announcement Module
Collapse
No announcement yet.
forcing user to change his password after first login Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • forcing user to change his password after first login

    Hi,
    like in title, how to force user to change hers/his default password after first login attempt? I'm using form based authentication with SHA-512 password encryption.

    Thanks in advance. Regards.

  • #2
    I would have thought this was pretty simple. You just need to ensure the forward after authentication sends the request to an action/controller/whatever to make the descision of what to do. If the user should change their password send to one place, normal login another. If you want to store this information with the user just extend the User object.

    Comment


    • #3
      Ok, but what if on ChangePassword.jsp page user in address bar in browser enter some other address (if he know what to enter), then he will skip changing of password until next login?

      Regards.

      Comment


      • #4
        I pretty sure this was covered recently, you might want to do a search. One approach would be not to assign any of the roles to the user in the UserDetails service if the password requires changing. The only visible URL could then be change password. After changing the password you could update the users roles.

        Comment


        • #5
          One approach would be not to assign any of the roles to the user in the UserDetails service if the password requires changing. The only visible URL could then be change password. After changing the password you could update the users roles.
          Yes I like it, but I talked with our project manager and this is not acceptable. I'm trying to implement it with aditional filter at the end of acegi filter chain, but without success. Any help or instruction is appreciated.

          Regards.

          Comment


          • #6
            Originally posted by jandrla View Post
            Yes I like it, but I talked with our project manager and this is not acceptable. I'm trying to implement it with aditional filter at the end of acegi filter chain, but without success. Any help or instruction is appreciated.
            Good old project managers............. What's the problem with the filter?

            Comment


            • #7
              Problem is that I can't find better solution than this one:
              1) implement Filter interface, create bean in app-context.xml and add it to the end of acegi filter chain.

              2)
              in doFilter method if user is logged before just do filterChain.doFilter(...) and that's it. If not I'm redirecting user to some ChangePassword.jsp which is handled by SimpleFormController.

              For some reason I'm still not able to make it work.

              Do you have some idea how to do it better, and is this good approach?

              Thanks for your help.

              Comment


              • #8
                I would have thought this should be quite straight forward. All you need to do is assert some state and the redirect to your required location.

                Comment


                • #9
                  Bah, I solved it same day I posted last message, but I did not have time to post solution. I'll do it in a next few days. Thanks.

                  Regards.

                  Comment


                  • #10
                    Originally posted by jandrla View Post
                    Bah, I solved it same day I posted last message, but I did not have time to post solution. I'll do it in a next few days. Thanks.
                    Glad you managed to solve the problem. I'd be really interested to see your solution, looking forward to you posting it.

                    Comment


                    • #11
                      Code, I didn't have time for doing it better, for now it works, any suggestion or comment is more than appreciated.
                      Code:
                      public class UserChangePasswordCheckFilter implements Filter  {
                      	protected final Log logger = LogFactory.getLog(getClass()); 
                      	
                      	public void destroy() {
                      	}
                      
                      	public void doFilter(ServletRequest request, ServletResponse response,
                      			FilterChain chain) throws IOException, ServletException {
                                      /* Should redirect occur or it shouldn't. */
                      		boolean redirect = false;
                      		
                      		//logger.info("UserChangePasswordCheckFilter says Hi!");
                      		
                      		if (!(request instanceof HttpServletRequest)) {
                                  throw new ServletException("Can only process HttpServletRequest");
                              }
                      
                              if (!(response instanceof HttpServletResponse)) {
                                  throw new ServletException("Can only process HttpServletResponse");
                              }
                             
                              
                              Authentication authentication = SecurityContextHolder
                      		.getContext().getAuthentication();
                              
                              /* Korisnik class implements UserDetails. */
                              if( authentication.getPrincipal() instanceof Korisnik) {
                              	Korisnik korisnik = (Korisnik) authentication.getPrincipal();
                              
                              	if(!korisnik.isLoggedBefore()) 
                              		redirect = true;
                              } 
                              
                      /* PromenaLozinke.htm is handled by SimpleFormController, after submiting of
                          form don't want to redirect. */    
                            if(((HttpServletRequest)request).getServletPath().startsWith("/PromenaLozinke.htm")) 
                              	redirect = false;
                              
                              /* If redirect is true redirect user to page for changing password,
                                  if it's not just doFilter. */        
                             	if(redirect)
                             	{
                             		logger.info("Spremam se za redirekciju!");
                             		ServletContext context = ((HttpServletRequest)request).getSession().getServletContext();
                          		RequestDispatcher rd = context.getRequestDispatcher("/PromenaLozinke.htm");
                          		if(rd != null) {
                          			logger.info("ok!");
                          			rd.forward(request, response);
                          		}
                             	}
                             	else
                             		chain.doFilter(request, response);
                      	}
                      
                      	public void init(FilterConfig config) throws ServletException {
                      	}
                      }
                      I added this filter to the end of acegi filter chain in app context.

                      Regards.

                      Comment


                      • #12
                        Thanks for posting that, it was interesting to see how you'd implemented it!

                        Comment

                        Working...
                        X