Announcement Announcement Module
No announcement yet.
implementing force password change Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • implementing force password change

    Hey all,

    I have an upcoming requirement that I'm trying to do some initial research on in terms of implementation strategies. If anyone can point me in the right direction on how to do this, it would be really, really appreciated.

    I need to force the user to change their password under some condition X so that when the user goes to log in, they're immediately presented with a change password page. A few stipulations, though:

    1) The change password page has to be "in their face" even if they try and click menu items, etc, after they've logged in. It should essentially keep coming up no matter what they click in terms of menu items, etc. They shouldn't be able to navigate away from the change password page in any way...although I would imagine the logout link would be a reasonable exception to this.

    2) Currently, when an anonymous user clicks a control that requires authentication, they're presented with a login page, then brought back to the page they were originally trying to access. Typical example: they're anonymous, they click "My Account", they're forced to log in, they immediately see the "My Account" page (instead of being back at the home page, etc). I need to maintain this functionality. They should be able to: be anonymous, click "My Account", login, change password, see "My Account" page immediately.

    I'm using Wicket to manage my web content...I'm not sure if it would be better to approach it from that end or not. I was thinking that whatever strategy I use may need to be at the security level due to #1, though.

    I really appreciate your time and help. Thanks!

  • #2
    I think the best way to do this is to write a custom UserDetailsService that marks the User as requiring a password reset (you will need a custom UserDetails to have this property too). At that point you can add a new Filter at the beginning of the FilterChain to see if the user requires a password reset. In order to obtain the user in the Filter you will want to ensure to use the SecurityContextRepository (i.e. HttpSessionSecurityContextRepository) to obtain the user. This is because the user has not been populated on the SecurityContextHolder yet. Then determine if the user requires a password change by looking at the attribute. If they do redirect them to the password reset page (if the request does not match the password reset page or the url handling the password reset). After changing the password you will want to ensure to update the SecurityContext with a new Authentication that does not indicate the password needs to be changed. You will also want to use the SavedRequestAuthenticationSuccessHandler to send the user to the original page.

    I realise this may be a lot to take in, but search the reference for these classes and looking at the code for these classes will likely help.