Customizing login procedure in a java web application

Question

I'm writing a java application which needs to perform an unusual login procedure. One of my problems is that the user needs to supply more than a simple username/password combination. Specifically, a username/password/domain combination is required.

Another problem is that my application enforces some password lifetime rules (eg: a password becomes invalid after 90 days). The authentication server that I use will refuse authentication when a password is expired and forces the user to choose a new one. Therefore my login process must be able to handle that.

Unfortunately the standard j_security_check servlet does not allow me to do any of that. Is there any way to create a custom and safe login procedure for a java web application.

Note: the problem with supplying the domain can be worked around by having users enter username\domain instead of just username in the j_username field and then let a custom realm decode that. This is however a bit kludgy and doesn't solve the second problem anyway.

Answer 1

The JAAS security interface allows you to create a custom login module. This lobby module will allow you to have any security checking that you like. I suggest that you look at the information on JAAS. 0

Here are some of the links I used to help understand JAAS:

http://www.owasp.org/index.php/JAAS_Tomcat_Login_Module

http://www.javaworld.com/jw-09-2002/jw-0913-jaas.html

http://www.jaasbook.com/

http://roneiv.wordpress.com/2008/02/18/jaas-authentication-mechanism-is-it-possible-to-force-j_security_check-to-go-to-a-specific-page/

Also have a look at the Apache tomcat realms configuration how-to:

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

Answer 2

Are you considering Spring security? These are some suggestions regarding password expiration.