3 Replies Latest reply on Apr 16, 2003 5:27 PM by Juha Lindfors

    Change password (or, logout / login)

    Bill Bruyn Newbie

      Well, let's see if I can live with these forums...

      I'm working on a web app that makes use of a DatabaseServerLoginModule. That's all working, and life is good enough.

      Now I need to allow my end-user to change his/her password while using the application. So I have a form that posts to a servlet. The servlet then uses a bean that models my principal table to update the credentials.

      After the password has been modified, I redirect to some other JSP for display, which is also protected by the JAAS framework.

      This page is now inaccessible, because the session attributes are apparently out-of-sync with the principal data. This is good, I think.

      But how am I going to re-authenticate the user programmatically?

      I thought maybe I could use a LoginContext, but no...

      And then I thought maybe I could invalidate the HttpSession and post form data to j_security_check, but how would I specify the resource j_security_check should redirect to when it's finished? So, no...

      So now the only thing I can think of is to set request attributes in the servlet, forward to my destination resource, check for the existence of those attributes at the login page, and post the form onLoad() if I have some credentials already.

      I guess that'll work. I think. Pretty messy though. :o[

      Does anyone have a better idea?

        • 1. Re: Change password (or, logout / login)
          stevecoh1 Newbie

          I don't have an answer but I have the same question.
          I am going to be deploying a new system on an old user base. One of the things I'm virtually required to do is to force everyone to change their password (different encryption schemes). I have a database flag that, if set, forces the user to change his password - no other part of the application is accessible to him. Once the password is changed, he has his usual rights.

          I had thought I could achieve this by simply logging the user out after the password change and redirecting him to the login screen where he can type in his new password (which would then get the full role list associated with the user).

          But I am defeated by the authentication cache which still holds the user with his old password and truncated set of roles.

          What I want is a bullet-proof way to implement "remove this user from authentication cache". These are the semantics that are intuitive for logout. Otherwise there is no way for a user to change his credentials.
          What is the best way to achieve this currently in JBoss?

          • 2. Re: Change password (or, logout / login)
            stevecoh1 Newbie

            Another goodie that would be nice:
            for development purposes - is there a way to force the auth cache to be flushed whenever a new ear file is given to jboss? I find I get weird results whenever I send down a new ear, restarting JBoss makes it go away.
            Is there a way to force this to be cleaned on a new deployemnt or if not, at least to flush it manually?

            • 3. Re: Change password (or, logout / login)
              Juha Lindfors Master

              you can flush the authentication cache through jmx-console