we have a database directory service configured in MWS. Now we want to enforce password expiry after a certain amount of time. Let’s say the time of the last password change is present in our user table. How do I intercept the login process to see if the password expired. Anyone already implemented such a scenario.
Any help is highly appreciated.
One option would be to use the Servlet Filter technique described in this thread: http://tech.forums.softwareag.com/viewtopic.php?t=23841&highlight=login+listener&sid=6a114e7d5cb40e138dde2d46c1e8fd00
After the user has successfully authenticated, the filter checks to see if the password has expired and if so, redirects the user to a custom page.
Another option is to use CAF events (available in 8.x) and create a synchronous handler for the Login event. You can then attach whatever flag to the user’s session to signal the custom business logic that you’ll implement to force a password reset.
Hope this helps.
thanks a lot for the reply and the useful information. Which documentation can I consult on creating such an event handler?
I do not like the Servlet filter solution too much because of the complicated deployment and it would also be called in every request if I get that right.
We are already using custom authenticator because we use hashed passwords. Can I also use the authenticator here. I could just fail authentication if the password expired but I would need the information on the login page that the password expired. Do you think this is feasible?
Another thing we were thinking about is a custom portlet that is entered as the target of a login page rule and checks the password expiry. In case of an expired password the user is presented a modal password change dialog otherwise he is redirected to the last active tab. Do you think this is feasible? How can I redirect to the last active tab.
You can find out more information about events in the 8.x documentation of Designer: “Managing CAF Events”.
That might work. You could throw a subclass of the Authentication Exception, and then if you have a custom login page you could look for this specific exception class.
Maybe you place this portlet with the dialog into the Shell. Then you don’t really have to ever redirect anywhere.