Request for comment: Supporting password expiration alert in JAAS

Michael StJohns mstjohns at comcast.net
Wed Oct 17 15:26:56 UTC 2012


*sigh* 

Not "Refreshable" and "Destroyable", but "Group" and "UserPrincipal"...

Mike


At 11:25 AM 10/17/2012, Michael StJohns wrote:
>This seems too specific to password based authentication.
>
>How about something like a "PrincipalAttributes" interface to go along with Refreshable and Destroyable?
>
>Properties getAttributes();
>
>define a few names: accountExpiration, passwordExpiration, lastLoginTime etc and their default meanings.
>
>Do the login, grab the Subject, then grab the Principals, check for the interface and then do the appropriate actions.  
>
>You generally don't actually want to return data to the user such as the above until AFTER you're authenticated, and doing this via a callback, by definition is going to happen DURING authentication.
>
>Later, Mike
>
>
>
>At 01:44 AM 10/17/2012, Weijun Wang wrote:
>>Ping again.
>>
>>On 08/17/2012 06:18 PM, Weijun Wang wrote:
>>>Hi All
>>>
>>>I am working with an OpenJDK contributor (Steve Beaty) recently on this
>>>feature.
>>>
>>>We often see messages like "Your password will expire in 5 days. Please
>>>update ASAP" when we login to a system, and we are seeing if we could
>>>also support this kind of alert in JAAS.
>>>
>>>We first starts with the Krb5LoginModule. In Kerberos, the KDC might
>>>send a LastReq field in response to a ticket request. Normally, the
>>>LastReq might contain:
>>>
>>>1. The time the password will expire
>>>2. The time the account will expire.
>>>
>>>(It might contain other things like the last request time from the same
>>>client, so the login module can show the user "Last login: Thu Aug 16
>>>19:44:55 2012". That's also how the field is named).
>>>
>>>Out current idea is to create a new kind of Callback, say,
>>>PasswordExpirationCallback for a login module, if a password/account
>>>expiration message is found in the LastReq field received, some
>>>user-defined method can be called.
>>>
>>>However, we cannot decide on what argument we should provide to this
>>>method. Certainly, just passing the LastReq field is not very good,
>>>since it's keberos-specific. Passing only the password expiration time?
>>>I'm not sure if the information is too little.
>>>
>>>Are you familiar with all other styles of password expiration warnings?
>>>What kind of message is generalized enough and also contains enough info?
>>>
>>>Any suggestion welcomed.
>>>
>>>Thanks
>>>Max





More information about the security-dev mailing list