Request for comment: Supporting password expiration alert in JAAS

[Weijun Wang]

Hi All

I am working with an OpenJDK contributor (Steve Beaty) recently on this 
feature.

We often see messages like "Your password will expire in 5 days. Please 
update ASAP" when we login to a system, and we are seeing if we could 
also support this kind of alert in JAAS.

We first starts with the Krb5LoginModule. In Kerberos, the KDC might 
send a LastReq field in response to a ticket request. Normally, the 
LastReq might contain:

1. The time the password will expire
2. The time the account will expire.

(It might contain other things like the last request time from the same 
client, so the login module can show the user "Last login: Thu Aug 16 
19:44:55 2012". That's also how the field is named).

Out current idea is to create a new kind of Callback, say, 
PasswordExpirationCallback for a login module, if a password/account 
expiration message is found in the LastReq field received, some 
user-defined method can be called.

However, we cannot decide on what argument we should provide to this 
method. Certainly, just passing the LastReq field is not very good, 
since it's keberos-specific. Passing only the password expiration time? 
I'm not sure if the information is too little.

Are you familiar with all other styles of password expiration warnings? 
What kind of message is generalized enough and also contains enough info?

Any suggestion welcomed.

Thanks
Max