Customizing login procedure in a java web application
-
23-08-2019 - |
Question
I'm writing a java application which needs to perform an unusual login procedure. One of my problems is that the user needs to supply more than a simple username/password combination. Specifically, a username/password/domain combination is required.
Another problem is that my application enforces some password lifetime rules (eg: a password becomes invalid after 90 days). The authentication server that I use will refuse authentication when a password is expired and forces the user to choose a new one. Therefore my login process must be able to handle that.
Unfortunately the standard j_security_check servlet does not allow me to do any of that. Is there any way to create a custom and safe login procedure for a java web application.
Note: the problem with supplying the domain can be worked around by having users enter username\domain instead of just username in the j_username field and then let a custom realm decode that. This is however a bit kludgy and doesn't solve the second problem anyway.
Solution
The JAAS security interface allows you to create a custom login module. This lobby module will allow you to have any security checking that you like. I suggest that you look at the information on JAAS. 0
Here are some of the links I used to help understand JAAS:
http://www.owasp.org/index.php/JAAS_Tomcat_Login_Module
http://www.javaworld.com/jw-09-2002/jw-0913-jaas.html
Also have a look at the Apache tomcat realms configuration how-to:
OTHER TIPS
Are you considering Spring security? These are some suggestions regarding password expiration.