Request for comment: Supporting password expiration alert in JAAS

[Xuelei Fan]

If the application know and pass the expiration time to the callback, it
can do the warning in the application level.

If the application does not know the expiration time, I was wondering
that the login context may also not know the time.  Does kerberos define
expiration fileds?

I think, it is not clear to me about the benefits to do it in JDK level.

Xuelei

On 10/17/2012 1:44 PM, Weijun Wang wrote:
> Ping again.
> 
> On 08/17/2012 06:18 PM, Weijun Wang wrote:
>> Hi All
>>
>> I am working with an OpenJDK contributor (Steve Beaty) recently on this
>> feature.
>>
>> We often see messages like "Your password will expire in 5 days. Please
>> update ASAP" when we login to a system, and we are seeing if we could
>> also support this kind of alert in JAAS.
>>
>> We first starts with the Krb5LoginModule. In Kerberos, the KDC might
>> send a LastReq field in response to a ticket request. Normally, the
>> LastReq might contain:
>>
>> 1. The time the password will expire
>> 2. The time the account will expire.
>>
>> (It might contain other things like the last request time from the same
>> client, so the login module can show the user "Last login: Thu Aug 16
>> 19:44:55 2012". That's also how the field is named).
>>
>> Out current idea is to create a new kind of Callback, say,
>> PasswordExpirationCallback for a login module, if a password/account
>> expiration message is found in the LastReq field received, some
>> user-defined method can be called.
>>
>> However, we cannot decide on what argument we should provide to this
>> method. Certainly, just passing the LastReq field is not very good,
>> since it's keberos-specific. Passing only the password expiration time?
>> I'm not sure if the information is too little.
>>
>> Are you familiar with all other styles of password expiration warnings?
>> What kind of message is generalized enough and also contains enough info?
>>
>> Any suggestion welcomed.
>>
>> Thanks
>> Max