Request for comment: Supporting password expiration alert in JAAS
Michael StJohns
mstjohns at comcast.net
Wed Oct 17 15:25:00 UTC 2012
This seems too specific to password based authentication.
How about something like a "PrincipalAttributes" interface to go along with Refreshable and Destroyable?
Properties getAttributes();
define a few names: accountExpiration, passwordExpiration, lastLoginTime etc and their default meanings.
Do the login, grab the Subject, then grab the Principals, check for the interface and then do the appropriate actions.
You generally don't actually want to return data to the user such as the above until AFTER you're authenticated, and doing this via a callback, by definition is going to happen DURING authentication.
Later, Mike
At 01:44 AM 10/17/2012, Weijun Wang wrote:
>Ping again.
>
>On 08/17/2012 06:18 PM, Weijun Wang wrote:
>>Hi All
>>
>>I am working with an OpenJDK contributor (Steve Beaty) recently on this
>>feature.
>>
>>We often see messages like "Your password will expire in 5 days. Please
>>update ASAP" when we login to a system, and we are seeing if we could
>>also support this kind of alert in JAAS.
>>
>>We first starts with the Krb5LoginModule. In Kerberos, the KDC might
>>send a LastReq field in response to a ticket request. Normally, the
>>LastReq might contain:
>>
>>1. The time the password will expire
>>2. The time the account will expire.
>>
>>(It might contain other things like the last request time from the same
>>client, so the login module can show the user "Last login: Thu Aug 16
>>19:44:55 2012". That's also how the field is named).
>>
>>Out current idea is to create a new kind of Callback, say,
>>PasswordExpirationCallback for a login module, if a password/account
>>expiration message is found in the LastReq field received, some
>>user-defined method can be called.
>>
>>However, we cannot decide on what argument we should provide to this
>>method. Certainly, just passing the LastReq field is not very good,
>>since it's keberos-specific. Passing only the password expiration time?
>>I'm not sure if the information is too little.
>>
>>Are you familiar with all other styles of password expiration warnings?
>>What kind of message is generalized enough and also contains enough info?
>>
>>Any suggestion welcomed.
>>
>>Thanks
>>Max
More information about the security-dev
mailing list