Ferindo, > I'm trying to extend my basic JDBC Realm form authentication within my web > app to, in addition to checking for userid and password, also check to make > users' passwords aren't too old and force them to update their passwords.
I have done this with a filter that gets applied after the authentication step; my filter loads user information from the database (if necessary) and checks things like the "status" of the user. If the user has to update their password, I forward them to the password-changing page. I recently switched to securityfilter in order to record failed logins, and was tempted to put all this logic into the authenticator, but decided against it: I like /this/ strategy for handling these features because they are decidedly outside of the purview of the authenticator. The authenticator's job is to authenticate the user (i.e. check username and password). The features you are talking about are closer to authorization than authentication. Finally, you might consider running an external process to change users' states (i.e. to put them into a "must change password" state). We have a nightly cron job that runs a number of queries across all users and updates the 'status' of a user to a few states, including "must change password". I think it might make your code a bit easier, because the logic for determining the status of a user is outside of somewhere like your authenticator. Hope that helps. -chris
signature.asc
Description: OpenPGP digital signature
