How to implement Force password change during authentication

Description of problem
Our client requires web applications to support its internal security policy beyond
normal authentication. This includes:
- force password change periodically. This should be performed at logon time.
- maintain password history so that a new password would not repeat any of its
previous 15 changes.
We already have an authentication server that satisfy these requirements. However,
we would also like to base our solution on WebLogic security framework so that
we can leverage the benefit of the container-managed declarative security (e.g.
we don't need to use our special cookie to check whether a user is authenticated
for every web page in the application). So the best scenario for us is to wrap
up this authentication server using WLS 7.0 authentication SSPI.
My initial investigation of WLS 7.0 security framework (based on edocs and the
sample customer security provider codes) convinced me that overall, this is achievable.
However, I am still left with quite a few questions, which I would like to get
your help.
Questions:
1. (web container) The J2EE-standard container-based authentication is to specify
<login-config> element. My understanding is that only FORM based authentication
is applicable. The specified form elements:
<form method="post" action="j_security_check">
<INPUT TYPE="TEXT" NAME="j_username">
<INPUT TYPE= "password" NAME="j_password">
</form>
is adequate for authentication. However, if the authentication service provider
indicates that password change is needed, what would be the most appropriate way
within WebLogic for the authentication service provider to pass such a flag to
the web container know so that our application can access it? I guess, a simpler
question, would be, using the standard <login-config>, webapp knows only about
authentication fails or succeeds. Can it possibly know more information provided
by the authentication service provider right after authentication?
2) If we don't use standard FORM-based authentication, we will code up our own
authentication control, which could give us a lot more flexibility, but can we
then bind our Subject obtained through our authentication control to the WebLogic
Subject that is running the webapp.
3) (Authentication service provider) Our design is for the custom LoginModule
to delegate login calls to the authentication server, and throws more refined
exceptions such as: FailedLoginException, PasswordExpiredException, UserAccountLockedException
(all subclassed from LoginException). Another approach is to provide detailed
information such as password expired in callbacks. Either way, when Authentication
service provider returns, how our web application can access this refined flag
of authentication result.
4) Can our customer authentication service provider use DataSource defined in
a weblogic server? I ask this question because DataSource itself is a protected
resource of WebLogic. Will referencing it during authentication initiate another
authentication cycle?
Can anyone who has experienced similar requirements and worked solutions please
give me a hint? I appreciate your guidance.
regards
Licheng

"Licheng" == Licheng <[email protected]> writes:
Licheng> Description of problem
Licheng> Our client requires web applications to support its internal security policy beyond
Licheng> normal authentication. This includes:
Licheng> - force password change periodically. This should be performed at logon time.
Licheng> - maintain password history so that a new password would not repeat any of its
Licheng> previous 15 changes.
Licheng> ..
Licheng> We already have an authentication server that satisfy these requirements. However,
Licheng> we would also like to base our solution on WebLogic security framework so that
Licheng> we can leverage the benefit of the container-managed declarative security (e.g.
Licheng> we don't need to use our special cookie to check whether a user is authenticated
Licheng> for every web page in the application). So the best scenario for us is to wrap
Licheng> up this authentication server using WLS 7.0 authentication SSPI.
I believe it's impractical to fit the requirement of forcing a password change
into the standard JAAS interface.
I think the only practical way to do this is to implement a servlet filter that
reads the persistent record of the logged-in user to check for a "force change
password flag". If it finds this, the servlet filter will forward to a page to
change your password. Note that the servlet filter may be hit again when
trying to get to the change password page, so it needs to know to not do the
check in that case.
If you implement this, I would strongly urge you to softcode the "change
password" page URL in your system configuration, and not hardcode it in the
servlet filter.
===================================================================
David M. Karr ; Java/J2EE/XML/Unix/C++
[email protected] ; SCJP; SCWCD

Similar Messages

  • ADFS 3.0 and force password change

    I was wondering if anyone knows if ADFS 3.0 supports the AD flag "Force password at first login"?  I know 2.0 does not. I have been integrating Shibboleth with my ADFS and a custom login handler but I would really like to not complicate my
    setup and use straight ADFS if at all possible.  Our ADFS setup would be for a SSO into our on-premise Sharepoint 2010 server. Even if 3.0 returns a error indicating that the password needs changed at least I can then tell the student that and direct
    them to our FIM server to have them register and set their password.  Any thoughts?
    Thanks
    Joe
    Joe M

    Brian,
    I understand that Azure Ad won't store password.  This is all on-premise servers, nothing in Azure.  I see that with ADFS 3.0, if the flag is set to change password at next logon, the user does get a different message than if they just typed a
    wrong password.  I guess what I am looking at doing is instead of them getting the message that their password is expired, redirect them to our FIM server so that they can register for self-service as well as set their new password.  If ADFS 2, the
    returned message was the same whether it was an expired password or a wrong password.  So ADFS 3 is nice in regards to that. Now it is just a matter of trying to take advantage of that.  I thought about maybe creating a relaying party trust to our
    FIM with a claim on that attribute but just not sure how to go about doing that at the moment.
    Joe M

  • How to implement extra password policies

    What is the best way to configure additional password policies? We are using the
    DefaultAuthenticator, and its only password policy is Minimum length. We'd like
    to add policies that force a change every 6 months, require a mix of numbers and
    alphas, prevent re-use of old passwords, etc.

    "Ken" <[email protected]> wrote in message
    news:3f900716$[email protected]..
    >
    What is the best way to configure additional password policies? We areusing the
    DefaultAuthenticator, and its only password policy is Minimum length. We'dlike
    to add policies that force a change every 6 months, require a mix ofnumbers and
    alphas, prevent re-use of old passwords, etc.There are currently no additional password policies that can be configured
    for the Default
    authenticator. If you need more, then you may have to move to either another
    LDAP
    server and use the external ldap provider or move to a custom solution and
    write your
    own atn provider.

  • Roaming profile gets corrupted after password change during session logon.

    When users are force to change password during logon (after it has expired) their roaming profile gets corrupted. All workstations are Windows 8 and domain is Server 2008 R2. The delete cached profile copies policy is enabled and therefore the issue matches
    exactly with http://support.microsoft.com/kb/971338/en-gb except it's the wrong OS.
    I've been trying to find a hotfix for Windows 8 without any luck so just wondering if anybody managed to get around this issue.

    Hi,
    Have you tried the workaround method in the link? did it worked? Actually, form now, there is still no helpful hotfix to fix this problem.
    In addition, what about change password from other client? not Windows 8.
    Roger Lu
    TechNet Community Support

  • Forcing Password Changes

    I've got some scenarios I've been asked to research regarding expiring passwords and preventing account lockouts. We are on Windows 7.
    If a user is logged in while their password expires, is it possible to force a prompt to have them change their password before they log out.
    If a user's screen is locked while their password expires, is it possible to set a password change prompt when they attempt to unlock?
    I guess the theme is how can password changes be forced before a user can get locked out after password expiration???
    Thanks,
    Matt

    The only thing you can change is the notification about how many days it is before the password expires.
    http://technet.microsoft.com/en-us/library/ee829687(v=ws.10).aspx

  • How to implement forgot password policy in OIM

    Hi,
    I want to implement forgot password Policy on OIM 11g r1.
    Can any one please help me on this.
    I mean from where to start and how is the follows goes..
    Thanks in Advance :-)

    Forgot Password functionality is OOTB.
    You can configure Forgot Password Question Answers. Go to System Configuration (Advance Console) and search for different properties associated with Challenge Questions Answers.
    OIM.DisableChallengeQuestions
    PCQ.NO_OF_CORRECT_ANSWERS
    XL.IsDupResponseAllowed
    etc..
    You can also add new Challenge Questions as well by adding into Lookup.WebClient.Questions

  • How to adopt the index changes during upgrade

    Hi All,
    Please let me know how to adopt the standard index changes during upgrade. We are not able to change using SPDD.
    Regards
    Anil Kumar K

    Hi Micheal,
           I have posted one query can you answer for that also.
    Actually we are facing a problem  in activating the table COEP. It is saying duplicate field name exist for GEBER. But we have checked all the tables and structures.But no duplicates.
    Please help us..
    Regards
    Anil Kumar K

  • [solved] KDE Forced password change

    Hi, Does anyone know how to turn off the fact that the first login of a new user has to change the password? For some reason that app(change password) is failing and the new users can't login.
    thanks in advance
    --jerry
    Last edited by jk121960 (2012-06-02 18:06:18)

    adamrehard wrote:
    Are you setting the passwords when you create the user?
    I can see why KDE would require a password change if one hasn't been set previously.
    You also could ask for help trying to fix the original issue, which as I understand it, is that the password change app is borked.
    yea the passwords were created when the users were created through the KDE add user utility, I wasn't worried about the change password utility as it is my kids computer. I installed KDE to moce them softly off windows .
    thanks
    --jerry

  • How to monitor user password changes for users in a database.

    hi All,
    can someone please help me.
    I need to audit the user password changes in a database. Ive check the auditing but audit " alter user " doesnt audit the changes in password and ive also checked the select * from sys.user_history$; view but didnt find anything useful. So is there a way to trace who changed the password and when ?
    Thanks for the help.

    You need something along the lines of http://www.morganslibrary.org/reference/ddl_trigger.html
    or you need to disallow ALTER USER to everyone and write your own PL/SQL and instrument logging the changes.
    Sybrand Bakker
    Senior Oracle DBA

  • How to implement dynamic language change in all Components

    Hi all,
    I`m quite confused because i have app in wich i create Language object it is singleton made using abstract factory used for querying text to be shown in components. I has simple method:
    public String getText(String fieldName) {}
    Wich returns text. I have also config object to know what desired language i want to have on startup. But problem occurs when i want to set dynamic language change during app run so all containers gets its texts again using language object (which is another type now). Do You have some ideas ??
    I thought about extending all JButtons,Frames,Labels etc... and adding method:
    void setYourText(Language l) { this.setText(l.getText(// and here we have problem because all fields have unique arguments for getText
    }

    I miss this thread.
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/6fdae690-0201-0010-a580-d104b459cb44
    This is almost the right solution for my problem.

  • How can i limit password changing?

    hey guys i have an imac, and i have only one account on it, my son likes to change the password of the account , i dont want him to do that, how can i make it so that he will NOT be able to change to password without my permission?
    is there a program i can install or something? please let me know as soon as possible.
    basically i dont want anyone changing the admin password on my iamc without my permission and since i only have one account on my imac and everyone knows the password which is fine, i just dont want them to be ABLE to change the password themselves, i want to be the only one that can change the password
    thank u so much
    Message was edited by: lamonsasa

    lamonsasa wrote:
    yes but i dont want to do that, we use quickbooks and virtua machine on this admin account and if i open a different account it will be a mess and i will need to set everything up again,
    I don't really understand what you mean by that. You have important programs in your user account, that (presumably) you don't want anyone to delete or change. Setting up a separate non-admin account takes less than a minute. You can set up fast-user switching so that switching between users is a matter of clicking on your name in the top right corner of the screen. Once in your son's account, he simply cannot change or meddle with anything in your user folder, or change any applications (including Quickbooks). There really is no down-side.
    As other users in this thread have said, if someone knows the admin password for the computer, there's no way to prevent them doing admin things like changing the password. You should very carefully examine why you think your son needs admin access.
    Matt

  • How to implement WEP key change ?

    Hi everyone,
    Once a week, I go and teach English in a pensioners association here in France.
    I have recently been advised that their WEP key had been changed.
    I expected a prompt requesting the new key but it did not happen. It simply does not work.
    How can I re-connect using the new key ?
    I use a MacBook with Yosemite 10.10.2
    Thanks for your help
    Christian

    To support dynamic wep you will need to setup a RADIUS server for authentication. You would then configure PEAP or EAP-TLS for athentication. IAS (Server 2000, 2003) or NPS (Server 2008) is free, but if you are going to dynamic WEP why not go with WPA.

  • Implementing dynamic Password change

    Dear friends.
    I am working with SAP.Net So i am wondering how to solve the first time login for SAP using .Net as front end.
    Moreover in the SAP Passwords will be changed every 3 months i would like to know how to handle such scenarios using .net to handle those changes in the SAP.
    Cheers
    Mark

    I assume you want a code sample? Here you are (untested, so consider it as pseudo-code):
    SAPProxy proxy = new SAPProxy();
    Destination dest = new Destination();
    // initialize your Desitnation accordingly here
    proxy.Connection = Connection.GetConnection(dest);
    bool repeat = false;
    do
    try
      proxy.Connection.Open()
      // Note: I think that the need to change password causes an exception here, but I'm not sure. So better try..
    catch(Exception ex)
    // Check if the exception was because of password needs to be changed
      PasswordDialog passDlg = new PasswordDialog(dest.Password);
      passDlg.ShowDialog();
      string passwordChangingConnectionString = dest.ConnectionString + " NEWPASS=" + passDlg.NewPassword;
      proxy.Connection.Dispose();
      proxy.Connection= Connection.GetConnection (passwordChangingConnectionString);
    repeat = true;
    } while(repeat);
    proxy.Call();

  • Forcing password change

    Is there a mechanism to force a user to change their password after xx days?

    Hi Venky,
    Yes we are setting the pwdMustChange attribute in OID:
    1) Login to oidadmin.
    2) Go to Password Management Policy
    3) Select Enable from Reset Password upon next time.
    Would be great if you can help with this
    TIA
    Greg

  • How to implement a password/login feature using the package OWA_SEC

    HELLO.....
    I have another question:
    I am using the following versions of Oracle products
    Connected to:
    Oracle9i Release 9.2.0.5.0 - Production
    JServer Release 9.2.0.5.0 - Production
    SQL> select owa_util.get_version from dual;
    GET_VERSION
    9.0.4.0.1
    (version of OWA packages)
    I have successfully compiled the following package:
    (It is based on a package in the text “Oracle Web Application Programming for PL/SQL Developers” by Susan Boardman etc… page 687-688
    The SPEC and BODY code is as follows:
    CREATE OR REPLACE PACKAGE AUTHEN_TEST IS
    FUNCTION AUTHORIZE RETURN BOOLEAN;
    PROCEDURE HELLO_WORLD;
    END;
    CREATE OR REPLACE PACKAGE BODY AUTHEN_TEST IS
    FUNCTION AUTHORIZE RETURN BOOLEAN IS
    v_user VARCHAR2(10);
    v_password VARCHAR2(10);
    BEGIN
    owa_sec.set_protection_realm('The Realm of Testing');
    v_user := UPPER(owa_sec.get_user_id);
    v_password := UPPER(owa_sec.get_password);
    IF v_user = 'PREN' AND v_password = 'HALL' THEN
    RETURN TRUE;
    ELSE
    RETURN FALSE;
    END IF;
    END AUTHORIZE;
    PROCEDURE HELLO_WORLD IS
    v_status BOOLEAN;
    BEGIN
    htp.p('TESTING');
    v_status := authorize;
    IF v_status = TRUE THEN
    htp.p('WENT TO PASSWORD SECTION');
    ELSE
    htp.p('DID NOT GO TO PASSWORD SECTION');
    END IF;
    END HELLO_WORLD;
    END AUTHEN_TEST;
    As I said the code compiles!!
    However what I want it to do is successfully run the following code from the above package:
    owa_sec.set_protection_realm('The Realm of Testing');
    v_user := UPPER(owa_sec.get_user_id);
    v_password := UPPER(owa_sec.get_password);
    I want the user to be asked for a password and login
    Currently when I use the web based application the browser displays:
    TESTING DID NOT GO TO PASSWORD SECTION
    Any advice is appreciated
    Thank You
    Douglas

    Hello,
    The URL:
    http://www.columbia.edu/~br111/plsqltools/configur.htm#1002513
    has useful information related to my question
    Also this post from Paul M was helpful:
    Finding which OWA packages are available for use in the schema/database
    Thanks
    Doug

Maybe you are looking for

  • Adobe Acrobat X Pro dead. How re-activate?

    Hello, Since a couple of days, my Adobe Acrobat X Pro doesn't come up anymore. I got it as part of my CS 5.5, and I recently updated from CS 5.5 to CS6 Standard), which doesn't seem to include Acrobat anymore. But while all the other CS5.5 components

  • Service entry tables

    Hi Gurus, i have an issue in finding out the cumulative qty in the service entry sheet i have Service entry sheet smartform developed,in that cumulative qty i ahve give the Field ACT_MENGE against the entry sheet number,but this value is changing aft

  • Looking for the right preset

    Greetings - I just recently purchased CS5 Production Premium and I want to use Premiere to create slideshows with still camera shots. My source is RAW images (.NEF). I process them in Lightroom 3 and I export them in .Tif or .Psd formats ranging in s

  • I am having numerous problems with Safari 5.1....

    It runs PAINFULLY SLOW on two different MacBook Pro's, one a 2.4GHz Core 2 Duo with 4GB RAM, the other is a 2.3 GHz Intel Core i7 with 8 GB of RAM... I am having issues with my Yahoo home page where I constantly get the error message "We noticed you

  • Airport express con vodafone station

    salve. Ho un problema con la mia vodafone station e il mio nuovo mac... Viaggiando il mac in wifi 802.1.1n la vodafone station non sempre riesce a mantenere il contatto essendo di modello obsoleto e viaggiando ancora in g. Cosi mi è stato consigliato