Customizing login procedure in a java web application

views:

575

answers:

Customizing login procedure in a java web application

Hello,

I'm writing a java application which needs to perform an unusual login procedure. One of my problems is that the user needs to supply more than a simple username/password combination. Specifically, a username/password/domain combination is required.

Another problem is that my application enforces some password lifetime rules (eg: a password becomes invalid after 90 days). The authentication server that I use will refuse authentication when a password is expired and forces the user to choose a new one. Therefore my login process must be able to handle that.

Unfortunately the standard j_security_check servlet does not allow me to do any of that. Is there any way to create a custom and safe login procedure for a java web application.

Note: the problem with supplying the domain can be worked around by having users enter username\domain instead of just username in the j_username field and then let a custom realm decode that. This is however a bit kludgy and doesn't solve the second problem anyway.

+3 A:

Are you considering Spring security? These are some suggestions regarding password expiration.

kgiannakakis 2009-04-05 21:51:07

I would appreciate if you could give a little more details about which particular features of Spring security could match my needs. I have 0 experience with spring and I would really not know where to start.

LordOfThePigs 2009-04-05 23:49:07

Some suggestions appear in the link I gave you. However, if you have zero experience with Spring security, then you will need do some reading about it. Don't be intimidated about it - you don't need to learn the full framework. To achieve what you want, you will only need to override some classes.

kgiannakakis 2009-04-06 08:22:42

+2 A:

The JAAS security interface allows you to create a custom login module. This lobby module will allow you to have any security checking that you like. I suggest that you look at the information on JAAS. 0

Here are some of the links I used to help understand JAAS:

http://www.owasp.org/index.php/JAAS_Tomcat_Login_Module

http://www.javaworld.com/jw-09-2002/jw-0913-jaas.html

http://www.jaasbook.com/

http://roneiv.wordpress.com/2008/02/18/jaas-authentication-mechanism-is-it-possible-to-force-j_security_check-to-go-to-a-specific-page/

Also have a look at the Apache tomcat realms configuration how-to:

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

Martlark 2009-04-06 00:34:41

I have already checked out the login modules, and actually written my own for glassfish. But they all only support the username and password Callbacks. I've looked around, but none of the Application servers seem to handle that properly.

LordOfThePigs 2009-04-06 01:11:24

A LoginModule is also not able (as far as I can tell) to handle the password expiration constraint.

LordOfThePigs 2009-04-06 01:12:30

I've looked around a little more, and it seems that it might be possible to use JAAS outside of the container managed, web.xml specified <login-config> element. So it seems the answer would be to use JAAS outside of the container managed security somehow.

LordOfThePigs 2009-04-06 01:19:46

Well all I can say is that my spring/jaas application does support password expiry. I have a database that records password metrics and the jaass module checks those on login attempts. Your jaas module should be able to handle return codes from your app server

Martlark 2009-04-07 05:36:40

ansaurus

tags:

views:

answers:

Customizing login procedure in a java web application

related questions