Request for comment: Supporting password expiration alert in JAAS

Weijun Wang at
Wed Oct 17 08:06:17 PDT 2012

The application does not know it, but the KDC does. In this case, if a 
user's password is about to expire and he logins to the KDC, the AS-REP 
message will include a expiration warning (LastReq data). Currently we 
have no way to expose this info to the application. But if we define a 
new kind of Callback there is a way to do it.

So it works something like this:

   LoginContext login = new LoginContext("c", new CallbackHandler() {
       public void handle(Callback[] cbs) {
         for (Callback cb: cbs) {
           if (nameCB) cb.setName("dummy");
           else if (passwordCB) cb.setPass("pAss");
           else if (passExpirationCB) alert(cb.???());

We are just not sure what the cb.???() should look like.


On 10/17/2012 10:01 PM, Xuelei Fan wrote:
> If the application know and pass the expiration time to the callback, it
> can do the warning in the application level.
> If the application does not know the expiration time, I was wondering
> that the login context may also not know the time.  Does kerberos define
> expiration fileds?
> I think, it is not clear to me about the benefits to do it in JDK level.
> Xuelei
> On 10/17/2012 1:44 PM, Weijun Wang wrote:
>> Ping again.
>> On 08/17/2012 06:18 PM, Weijun Wang wrote:
>>> Hi All
>>> I am working with an OpenJDK contributor (Steve Beaty) recently on this
>>> feature.
>>> We often see messages like "Your password will expire in 5 days. Please
>>> update ASAP" when we login to a system, and we are seeing if we could
>>> also support this kind of alert in JAAS.
>>> We first starts with the Krb5LoginModule. In Kerberos, the KDC might
>>> send a LastReq field in response to a ticket request. Normally, the
>>> LastReq might contain:
>>> 1. The time the password will expire
>>> 2. The time the account will expire.
>>> (It might contain other things like the last request time from the same
>>> client, so the login module can show the user "Last login: Thu Aug 16
>>> 19:44:55 2012". That's also how the field is named).
>>> Out current idea is to create a new kind of Callback, say,
>>> PasswordExpirationCallback for a login module, if a password/account
>>> expiration message is found in the LastReq field received, some
>>> user-defined method can be called.
>>> However, we cannot decide on what argument we should provide to this
>>> method. Certainly, just passing the LastReq field is not very good,
>>> since it's keberos-specific. Passing only the password expiration time?
>>> I'm not sure if the information is too little.
>>> Are you familiar with all other styles of password expiration warnings?
>>> What kind of message is generalized enough and also contains enough info?
>>> Any suggestion welcomed.
>>> Thanks
>>> Max

More information about the security-dev mailing list