views:

450

answers:

2

Hello all,

A user is accessing a restricted web application with JAAS (on Glassfish 2.1). LDAPRealm is used, and authentication is successfully performed from LDAP. A password policy should be installed for the users, so that they are forced to change passwords, have passwords of certain complexity/length, password failures and last N passwords should be checked. Password policy of LDAP server used (OpenDS) supports all this, but it is not obvious at all how to receive this kind of information in JAAS FORM login we are using, so that the information (i.e. "Please change you password") can be displayed to the user.

Do you have any ideas how to go about implementing this? Using database only is not an option, users need to be in LDAP. What is not obvious is whether to use LDAP password policies at all, or have it all programmed in our web application. I would like to avoid this and use LDAP's native password policies.

Thank you for answers and best regards, Bozo

+2  A: 

Unfortunately, what you can do using JAAS is kind of constrained to a small set of operations that any login system can support. While LDAP supports a password policy, other login systems (eg keystores) may not, so JAAS cannot have code that requires this.

Hence, you'll have to talk to the LDAP server directly using either JNDI or possibly this library from Novell.

Zarkonnen
Hello Zarkonnen - should I be able to write a custom JAAS login module, one that will catch the exception sent from LDAP and do the proper logic towards the user?
bozo
i.e., using something like this: http://stuffthathappens.com/blog/2008/05/16/writing-a-custom-jaas-loginmodule/ .
bozo
A: 

Got it. Have to use a SAM, since you cannot receive LoginException (with reason of login failure) in the existing auth mechanisms in Glassfish. Answer is here: http://stackoverflow.com/questions/992915/how-to-override-jsecuritycheck-in-glassfish

bozo