Announcement Announcement Module
No announcement yet.
Change Password interim step Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Change Password interim step

    Hi All,

    I am using 0.8.2 and I am encountering two (somewhat common) requirements.

    - updating failed logon attempts for a User
    - change password step during the logon process

    The first requirement.. of updating the users failed logon attempts is working.. I simply tied into the the AuthenticationFailureEvents that are published (i.e. ApplicationListener).. so that is fine.

    The 2nd requirement, I want to force a user to change their password (i.e. if it expires... or if they are a new user)

    Right now, I have a User table and a "change password" indicator... so I mapped that boolean to the "credentials expired" attribute on the UserDetails.
    This will then throw a CredentialsExpiredException and I can map that exception in the processing filter to a specific page... however, I am wondering how other ppl have approached this requirement?

    Right now, it goes to a change password page.. however its not integrated with the j_security_check acegi logon... which I want.

    Basically, I want to force a user to change their password... when they logon... ideally this would be an integrated process..

    i.e. a logon with change password

    Has anyone else implemented something similar?


  • #2
    I too would be interested to know how people have approached a similar problem


    • #3
      You would need to subclass AuthenticationProcessingFilter to provide this custom functionality after a successful login.

      If you code something that is reusable, please feel free to post it to JIRA and I will see if we can include it in CVS.


      • #4
        Hi Ben,

        Instead of subclassing AuthenticationProcessingFilter, I ended up creating a ChangePasswordFilter and added it to the chain. It seemed to be a more pluggable, modular way to enforce the redirection to the change password page.

        I did a cut of an AuthenticationProcessingFilter and I could get it to redirect to the change password page, however if I then just changed the URL and went to the main page, it would let me. I wanted it to "force" then to change their password, so I created a Change Password Filter, it also required some slight custom config ... i.e. need to specify the change password page... as well as the change password submission page....
        or you end up in infinite loops ....

        Anyway all in all, worked out to be a clean solution in my case.



        • #5
          Originally posted by markstgodard
          Anyway all in all, worked out to be a clean solution in my case.
          Great it got working for you Mark. It's a common requirement so thanks for sharing your approach.


          • #6
            Hi Mark, great work!

            Please, can you post your ChangePasswordFilter in JIRA? I have the same Problem and canīt fix it because Iīm still a big noob in Spring and Acegi. :wink:

            Thx, with best regards,