Handling Expired Password Best Practice

djeverson Apr 20, 2007 5:53 PM

Hi,

Our environment JBoss 4.0.5, Seam 1.2.1, Facelets

As part of our login use case, we have a requirement that the user's password must be changed within a defined period.

We attempted to implement this functionality by throwing an Exception in the Authenticator class:

if (user.isPasswordChangeRequired()) {
 throw new ExpiredPasswordException("User must change password");
}

In pages.xml, we added the following:

<exception class="us.crimnet.exceptions.ExpiredPasswordException">
 <redirect view-id="/change_password.xhtml"/>
</exception>

When we test this, the exception is thrown. However, the user is not redirected to the change_password.xhtml page. Rather, they just remain on the log page with a message saying that the log in failed.

How have others implemented similar use cases?

1. Re: Handling Expired Password Best Practice

shane.bryzak Apr 20, 2007 10:10 PM (in response to djeverson)
How about something like this?

<page view-id="/home.xhtml"> <navigation from-action="#{identity.login}"> <rule if="#{user.passwordExpired}"> <redirect view-id="/changepassword.xhtml"/> </rule> <rule if-outcome="loggedIn"> <redirect view-id="/profile.xhtml"/> </rule> </navigation> </page>

Inside your authentication method you'd need to put your user object into session scope, and it would need to have an isPasswordExpired() method or equivalent.
Actions
2. Re: Handling Expired Password Best Practice

saeediqbal1 Apr 20, 2007 11:49 PM (in response to djeverson)

shane you coming to java one? who will come from jboss seam team?
Actions
3. Re: Handling Expired Password Best Practice

shane.bryzak Apr 21, 2007 1:58 AM (in response to djeverson)

No I'm not coming, but Gavin will be there and perhaps some of the other guys - I'm not sure exactly who plans to go.
Actions

Go to original post