How to implement Force password change during authentication
Description of problem
Our client requires web applications to support its internal security policy beyond
normal authentication. This includes:
- force password change periodically. This should be performed at logon time.
- maintain password history so that a new password would not repeat any of its
previous 15 changes.
We already have an authentication server that satisfy these requirements. However,
we would also like to base our solution on WebLogic security framework so that
we can leverage the benefit of the container-managed declarative security (e.g.
we don't need to use our special cookie to check whether a user is authenticated
for every web page in the application). So the best scenario for us is to wrap
up this authentication server using WLS 7.0 authentication SSPI.
My initial investigation of WLS 7.0 security framework (based on edocs and the
sample customer security provider codes) convinced me that overall, this is achievable.
However, I am still left with quite a few questions, which I would like to get
your help.
Questions:
1. (web container) The J2EE-standard container-based authentication is to specify
<login-config> element. My understanding is that only FORM based authentication
is applicable. The specified form elements:
<form method="post" action="j_security_check">
<INPUT TYPE="TEXT" NAME="j_username">
<INPUT TYPE= "password" NAME="j_password">
</form>
is adequate for authentication. However, if the authentication service provider
indicates that password change is needed, what would be the most appropriate way
within WebLogic for the authentication service provider to pass such a flag to
the web container know so that our application can access it? I guess, a simpler
question, would be, using the standard <login-config>, webapp knows only about
authentication fails or succeeds. Can it possibly know more information provided
by the authentication service provider right after authentication?
2) If we don't use standard FORM-based authentication, we will code up our own
authentication control, which could give us a lot more flexibility, but can we
then bind our Subject obtained through our authentication control to the WebLogic
Subject that is running the webapp.
3) (Authentication service provider) Our design is for the custom LoginModule
to delegate login calls to the authentication server, and throws more refined
exceptions such as: FailedLoginException, PasswordExpiredException, UserAccountLockedException
(all subclassed from LoginException). Another approach is to provide detailed
information such as password expired in callbacks. Either way, when Authentication
service provider returns, how our web application can access this refined flag
of authentication result.
4) Can our customer authentication service provider use DataSource defined in
a weblogic server? I ask this question because DataSource itself is a protected
resource of WebLogic. Will referencing it during authentication initiate another
authentication cycle?
Can anyone who has experienced similar requirements and worked solutions please
give me a hint? I appreciate your guidance.
regards
Licheng
"Licheng" == Licheng <[email protected]> writes:
Licheng> Description of problem
Licheng> Our client requires web applications to support its internal security policy beyond
Licheng> normal authentication. This includes:
Licheng> - force password change periodically. This should be performed at logon time.
Licheng> - maintain password history so that a new password would not repeat any of its
Licheng> previous 15 changes.
Licheng> ..
Licheng> We already have an authentication server that satisfy these requirements. However,
Licheng> we would also like to base our solution on WebLogic security framework so that
Licheng> we can leverage the benefit of the container-managed declarative security (e.g.
Licheng> we don't need to use our special cookie to check whether a user is authenticated
Licheng> for every web page in the application). So the best scenario for us is to wrap
Licheng> up this authentication server using WLS 7.0 authentication SSPI.
I believe it's impractical to fit the requirement of forcing a password change
into the standard JAAS interface.
I think the only practical way to do this is to implement a servlet filter that
reads the persistent record of the logged-in user to check for a "force change
password flag". If it finds this, the servlet filter will forward to a page to
change your password. Note that the servlet filter may be hit again when
trying to get to the change password page, so it needs to know to not do the
check in that case.
If you implement this, I would strongly urge you to softcode the "change
password" page URL in your system configuration, and not hardcode it in the
servlet filter.
===================================================================
David M. Karr ; Java/J2EE/XML/Unix/C++
[email protected] ; SCJP; SCWCD
Similar Messages
-
ADFS 3.0 and force password change
I was wondering if anyone knows if ADFS 3.0 supports the AD flag "Force password at first login"? I know 2.0 does not. I have been integrating Shibboleth with my ADFS and a custom login handler but I would really like to not complicate my
setup and use straight ADFS if at all possible. Our ADFS setup would be for a SSO into our on-premise Sharepoint 2010 server. Even if 3.0 returns a error indicating that the password needs changed at least I can then tell the student that and direct
them to our FIM server to have them register and set their password. Any thoughts?
Thanks
Joe
Joe MBrian,
I understand that Azure Ad won't store password. This is all on-premise servers, nothing in Azure. I see that with ADFS 3.0, if the flag is set to change password at next logon, the user does get a different message than if they just typed a
wrong password. I guess what I am looking at doing is instead of them getting the message that their password is expired, redirect them to our FIM server so that they can register for self-service as well as set their new password. If ADFS 2, the
returned message was the same whether it was an expired password or a wrong password. So ADFS 3 is nice in regards to that. Now it is just a matter of trying to take advantage of that. I thought about maybe creating a relaying party trust to our
FIM with a claim on that attribute but just not sure how to go about doing that at the moment.
Joe M -
How to implement extra password policies
What is the best way to configure additional password policies? We are using the
DefaultAuthenticator, and its only password policy is Minimum length. We'd like
to add policies that force a change every 6 months, require a mix of numbers and
alphas, prevent re-use of old passwords, etc."Ken" <[email protected]> wrote in message
news:3f900716$[email protected]..
>
What is the best way to configure additional password policies? We areusing the
DefaultAuthenticator, and its only password policy is Minimum length. We'dlike
to add policies that force a change every 6 months, require a mix ofnumbers and
alphas, prevent re-use of old passwords, etc.There are currently no additional password policies that can be configured
for the Default
authenticator. If you need more, then you may have to move to either another
LDAP
server and use the external ldap provider or move to a custom solution and
write your
own atn provider. -
Roaming profile gets corrupted after password change during session logon.
When users are force to change password during logon (after it has expired) their roaming profile gets corrupted. All workstations are Windows 8 and domain is Server 2008 R2. The delete cached profile copies policy is enabled and therefore the issue matches
exactly with http://support.microsoft.com/kb/971338/en-gb except it's the wrong OS.
I've been trying to find a hotfix for Windows 8 without any luck so just wondering if anybody managed to get around this issue.Hi,
Have you tried the workaround method in the link? did it worked? Actually, form now, there is still no helpful hotfix to fix this problem.
In addition, what about change password from other client? not Windows 8.
Roger Lu
TechNet Community Support -
I've got some scenarios I've been asked to research regarding expiring passwords and preventing account lockouts. We are on Windows 7.
If a user is logged in while their password expires, is it possible to force a prompt to have them change their password before they log out.
If a user's screen is locked while their password expires, is it possible to set a password change prompt when they attempt to unlock?
I guess the theme is how can password changes be forced before a user can get locked out after password expiration???
Thanks,
MattThe only thing you can change is the notification about how many days it is before the password expires.
http://technet.microsoft.com/en-us/library/ee829687(v=ws.10).aspx -
How to implement forgot password policy in OIM
Hi,
I want to implement forgot password Policy on OIM 11g r1.
Can any one please help me on this.
I mean from where to start and how is the follows goes..
Thanks in Advance :-)Forgot Password functionality is OOTB.
You can configure Forgot Password Question Answers. Go to System Configuration (Advance Console) and search for different properties associated with Challenge Questions Answers.
OIM.DisableChallengeQuestions
PCQ.NO_OF_CORRECT_ANSWERS
XL.IsDupResponseAllowed
etc..
You can also add new Challenge Questions as well by adding into Lookup.WebClient.Questions -
How to adopt the index changes during upgrade
Hi All,
Please let me know how to adopt the standard index changes during upgrade. We are not able to change using SPDD.
Regards
Anil Kumar KHi Micheal,
I have posted one query can you answer for that also.
Actually we are facing a problem in activating the table COEP. It is saying duplicate field name exist for GEBER. But we have checked all the tables and structures.But no duplicates.
Please help us..
Regards
Anil Kumar K -
[solved] KDE Forced password change
Hi, Does anyone know how to turn off the fact that the first login of a new user has to change the password? For some reason that app(change password) is failing and the new users can't login.
thanks in advance
--jerry
Last edited by jk121960 (2012-06-02 18:06:18)adamrehard wrote:
Are you setting the passwords when you create the user?
I can see why KDE would require a password change if one hasn't been set previously.
You also could ask for help trying to fix the original issue, which as I understand it, is that the password change app is borked.
yea the passwords were created when the users were created through the KDE add user utility, I wasn't worried about the change password utility as it is my kids computer. I installed KDE to moce them softly off windows .
thanks
--jerry -
How to monitor user password changes for users in a database.
hi All,
can someone please help me.
I need to audit the user password changes in a database. Ive check the auditing but audit " alter user " doesnt audit the changes in password and ive also checked the select * from sys.user_history$; view but didnt find anything useful. So is there a way to trace who changed the password and when ?
Thanks for the help.You need something along the lines of http://www.morganslibrary.org/reference/ddl_trigger.html
or you need to disallow ALTER USER to everyone and write your own PL/SQL and instrument logging the changes.
Sybrand Bakker
Senior Oracle DBA -
How to implement dynamic language change in all Components
Hi all,
I`m quite confused because i have app in wich i create Language object it is singleton made using abstract factory used for querying text to be shown in components. I has simple method:
public String getText(String fieldName) {}
Wich returns text. I have also config object to know what desired language i want to have on startup. But problem occurs when i want to set dynamic language change during app run so all containers gets its texts again using language object (which is another type now). Do You have some ideas ??
I thought about extending all JButtons,Frames,Labels etc... and adding method:
void setYourText(Language l) { this.setText(l.getText(// and here we have problem because all fields have unique arguments for getText
}I miss this thread.
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/6fdae690-0201-0010-a580-d104b459cb44
This is almost the right solution for my problem. -
How can i limit password changing?
hey guys i have an imac, and i have only one account on it, my son likes to change the password of the account , i dont want him to do that, how can i make it so that he will NOT be able to change to password without my permission?
is there a program i can install or something? please let me know as soon as possible.
basically i dont want anyone changing the admin password on my iamc without my permission and since i only have one account on my imac and everyone knows the password which is fine, i just dont want them to be ABLE to change the password themselves, i want to be the only one that can change the password
thank u so much
Message was edited by: lamonsasalamonsasa wrote:
yes but i dont want to do that, we use quickbooks and virtua machine on this admin account and if i open a different account it will be a mess and i will need to set everything up again,
I don't really understand what you mean by that. You have important programs in your user account, that (presumably) you don't want anyone to delete or change. Setting up a separate non-admin account takes less than a minute. You can set up fast-user switching so that switching between users is a matter of clicking on your name in the top right corner of the screen. Once in your son's account, he simply cannot change or meddle with anything in your user folder, or change any applications (including Quickbooks). There really is no down-side.
As other users in this thread have said, if someone knows the admin password for the computer, there's no way to prevent them doing admin things like changing the password. You should very carefully examine why you think your son needs admin access.
Matt -
How to implement WEP key change ?
Hi everyone,
Once a week, I go and teach English in a pensioners association here in France.
I have recently been advised that their WEP key had been changed.
I expected a prompt requesting the new key but it did not happen. It simply does not work.
How can I re-connect using the new key ?
I use a MacBook with Yosemite 10.10.2
Thanks for your help
ChristianTo support dynamic wep you will need to setup a RADIUS server for authentication. You would then configure PEAP or EAP-TLS for athentication. IAS (Server 2000, 2003) or NPS (Server 2008) is free, but if you are going to dynamic WEP why not go with WPA.
-
Implementing dynamic Password change
Dear friends.
I am working with SAP.Net So i am wondering how to solve the first time login for SAP using .Net as front end.
Moreover in the SAP Passwords will be changed every 3 months i would like to know how to handle such scenarios using .net to handle those changes in the SAP.
Cheers
MarkI assume you want a code sample? Here you are (untested, so consider it as pseudo-code):
SAPProxy proxy = new SAPProxy();
Destination dest = new Destination();
// initialize your Desitnation accordingly here
proxy.Connection = Connection.GetConnection(dest);
bool repeat = false;
do
try
proxy.Connection.Open()
// Note: I think that the need to change password causes an exception here, but I'm not sure. So better try..
catch(Exception ex)
// Check if the exception was because of password needs to be changed
PasswordDialog passDlg = new PasswordDialog(dest.Password);
passDlg.ShowDialog();
string passwordChangingConnectionString = dest.ConnectionString + " NEWPASS=" + passDlg.NewPassword;
proxy.Connection.Dispose();
proxy.Connection= Connection.GetConnection (passwordChangingConnectionString);
repeat = true;
} while(repeat);
proxy.Call(); -
Is there a mechanism to force a user to change their password after xx days?
Hi Venky,
Yes we are setting the pwdMustChange attribute in OID:
1) Login to oidadmin.
2) Go to Password Management Policy
3) Select Enable from Reset Password upon next time.
Would be great if you can help with this
TIA
Greg -
How to implement a password/login feature using the package OWA_SEC
HELLO.....
I have another question:
I am using the following versions of Oracle products
Connected to:
Oracle9i Release 9.2.0.5.0 - Production
JServer Release 9.2.0.5.0 - Production
SQL> select owa_util.get_version from dual;
GET_VERSION
9.0.4.0.1
(version of OWA packages)
I have successfully compiled the following package:
(It is based on a package in the text Oracle Web Application Programming for PL/SQL Developers by Susan Boardman etc page 687-688
The SPEC and BODY code is as follows:
CREATE OR REPLACE PACKAGE AUTHEN_TEST IS
FUNCTION AUTHORIZE RETURN BOOLEAN;
PROCEDURE HELLO_WORLD;
END;
CREATE OR REPLACE PACKAGE BODY AUTHEN_TEST IS
FUNCTION AUTHORIZE RETURN BOOLEAN IS
v_user VARCHAR2(10);
v_password VARCHAR2(10);
BEGIN
owa_sec.set_protection_realm('The Realm of Testing');
v_user := UPPER(owa_sec.get_user_id);
v_password := UPPER(owa_sec.get_password);
IF v_user = 'PREN' AND v_password = 'HALL' THEN
RETURN TRUE;
ELSE
RETURN FALSE;
END IF;
END AUTHORIZE;
PROCEDURE HELLO_WORLD IS
v_status BOOLEAN;
BEGIN
htp.p('TESTING');
v_status := authorize;
IF v_status = TRUE THEN
htp.p('WENT TO PASSWORD SECTION');
ELSE
htp.p('DID NOT GO TO PASSWORD SECTION');
END IF;
END HELLO_WORLD;
END AUTHEN_TEST;
As I said the code compiles!!
However what I want it to do is successfully run the following code from the above package:
owa_sec.set_protection_realm('The Realm of Testing');
v_user := UPPER(owa_sec.get_user_id);
v_password := UPPER(owa_sec.get_password);
I want the user to be asked for a password and login
Currently when I use the web based application the browser displays:
TESTING DID NOT GO TO PASSWORD SECTION
Any advice is appreciated
Thank You
DouglasHello,
The URL:
http://www.columbia.edu/~br111/plsqltools/configur.htm#1002513
has useful information related to my question
Also this post from Paul M was helpful:
Finding which OWA packages are available for use in the schema/database
Thanks
Doug
Maybe you are looking for
-
Adobe Acrobat X Pro dead. How re-activate?
Hello, Since a couple of days, my Adobe Acrobat X Pro doesn't come up anymore. I got it as part of my CS 5.5, and I recently updated from CS 5.5 to CS6 Standard), which doesn't seem to include Acrobat anymore. But while all the other CS5.5 components
-
Hi Gurus, i have an issue in finding out the cumulative qty in the service entry sheet i have Service entry sheet smartform developed,in that cumulative qty i ahve give the Field ACT_MENGE against the entry sheet number,but this value is changing aft
-
Greetings - I just recently purchased CS5 Production Premium and I want to use Premiere to create slideshows with still camera shots. My source is RAW images (.NEF). I process them in Lightroom 3 and I export them in .Tif or .Psd formats ranging in s
-
I am having numerous problems with Safari 5.1....
It runs PAINFULLY SLOW on two different MacBook Pro's, one a 2.4GHz Core 2 Duo with 4GB RAM, the other is a 2.3 GHz Intel Core i7 with 8 GB of RAM... I am having issues with my Yahoo home page where I constantly get the error message "We noticed you
-
Airport express con vodafone station
salve. Ho un problema con la mia vodafone station e il mio nuovo mac... Viaggiando il mac in wifi 802.1.1n la vodafone station non sempre riesce a mantenere il contatto essendo di modello obsoleto e viaggiando ancora in g. Cosi mi è stato consigliato