2

A user is accessing a restricted web application with JAAS (on Glassfish 2.1). LDAPRealm is used, and authentication is successfully performed from LDAP. A password policy should be installed for the users, so that they are forced to change passwords, have passwords of certain complexity/length, password failures and last N passwords should be checked. Password policy of LDAP server used (OpenDS) supports all this, but it is not obvious at all how to receive this kind of information in JAAS FORM login we are using, so that the information (i.e. "Please change you password") can be displayed to the user.

Do you have any ideas how to go about implementing this? Using database only is not an option, users need to be in LDAP. What is not obvious is whether to use LDAP password policies at all, or have it all programmed in our web application. I would like to avoid this and use LDAP's native password policies.

Thank you for answers and best regards, Bozo

Zarkonnen
  • 22,200
  • 14
  • 65
  • 81
bozo
  • 947
  • 1
  • 13
  • 33

2 Answers2

1

Unfortunately, what you can do using JAAS is kind of constrained to a small set of operations that any login system can support. While LDAP supports a password policy, other login systems (eg keystores) may not, so JAAS cannot have code that requires this.

Hence, you'll have to talk to the LDAP server directly using either JNDI or possibly this library from Novell.

Zarkonnen
  • 22,200
  • 14
  • 65
  • 81
  • Hello Zarkonnen - should I be able to write a custom JAAS login module, one that will catch the exception sent from LDAP and do the proper logic towards the user? – bozo Oct 17 '09 at 10:53
  • i.e., using something like this: http://stuffthathappens.com/blog/2008/05/16/writing-a-custom-jaas-loginmodule/ . – bozo Oct 17 '09 at 11:01
  • This answer is simply untrue. You can program your own JAAS Login module to do any LDAP operations you like, including the extended password-policy operations. I have done exactly this. @bozo – user207421 Sep 21 '16 at 16:54
0

Got it. Have to use a SAM, since you cannot receive LoginException (with reason of login failure) in the existing auth mechanisms in Glassfish. Answer is here: How to override j_security_check in glassfish?

Community
  • 1
  • 1
bozo
  • 947
  • 1
  • 13
  • 33