Request for comment: Supporting password expiration alert in JAAS

Weijun Wang weijun.wang at oracle.com
Wed Oct 17 08:06:17 PDT 2012


The application does not know it, but the KDC does. In this case, if a 
user's password is about to expire and he logins to the KDC, the AS-REP 
message will include a expiration warning (LastReq data). Currently we 
have no way to expose this info to the application. But if we define a 
new kind of Callback there is a way to do it.

So it works something like this:

   LoginContext login = new LoginContext("c", new CallbackHandler() {
       public void handle(Callback[] cbs) {
         for (Callback cb: cbs) {
           if (nameCB) cb.setName("dummy");
           else if (passwordCB) cb.setPass("pAss");
           else if (passExpirationCB) alert(cb.???());
         }
       }});
   login.login();

We are just not sure what the cb.???() should look like.

Thanks
Max


On 10/17/2012 10:01 PM, Xuelei Fan wrote:
> If the application know and pass the expiration time to the callback, it
> can do the warning in the application level.
>
> If the application does not know the expiration time, I was wondering
> that the login context may also not know the time.  Does kerberos define
> expiration fileds?
>
> I think, it is not clear to me about the benefits to do it in JDK level.
>
> Xuelei
>
> On 10/17/2012 1:44 PM, Weijun Wang wrote:
>> Ping again.
>>
>> On 08/17/2012 06:18 PM, Weijun Wang wrote:
>>> Hi All
>>>
>>> I am working with an OpenJDK contributor (Steve Beaty) recently on this
>>> feature.
>>>
>>> We often see messages like "Your password will expire in 5 days. Please
>>> update ASAP" when we login to a system, and we are seeing if we could
>>> also support this kind of alert in JAAS.
>>>
>>> We first starts with the Krb5LoginModule. In Kerberos, the KDC might
>>> send a LastReq field in response to a ticket request. Normally, the
>>> LastReq might contain:
>>>
>>> 1. The time the password will expire
>>> 2. The time the account will expire.
>>>
>>> (It might contain other things like the last request time from the same
>>> client, so the login module can show the user "Last login: Thu Aug 16
>>> 19:44:55 2012". That's also how the field is named).
>>>
>>> Out current idea is to create a new kind of Callback, say,
>>> PasswordExpirationCallback for a login module, if a password/account
>>> expiration message is found in the LastReq field received, some
>>> user-defined method can be called.
>>>
>>> However, we cannot decide on what argument we should provide to this
>>> method. Certainly, just passing the LastReq field is not very good,
>>> since it's keberos-specific. Passing only the password expiration time?
>>> I'm not sure if the information is too little.
>>>
>>> Are you familiar with all other styles of password expiration warnings?
>>> What kind of message is generalized enough and also contains enough info?
>>>
>>> Any suggestion welcomed.
>>>
>>> Thanks
>>> Max
>



More information about the security-dev mailing list