Liferay : Redirect to change Password after auto login

Question

I wanted a functionality wherein when I create a user for the first time I give an auto login url for that user in the user creation mail in Liferay.

In my Auto Login implementation I checked whether the user has loggedin for the first time or not. If it is a first time login, the user is authenticated automatically and if not the portal's login page is seen. I have been successful doing this.

But now what I want is that once auto logged in the user is redirected to portal's reset password page. In which event this can be done correctly (In which event to set the hook.) and what is the portal's redirection url? Any help would be appreciated.

Thanks in advance.

Answer 1

Finally, I got it working.

I just needed to set the password reset of the Liferay user to true whenever I found out that the user's password modified date as null in the auto login implementation. Liferay's PortalRequestProcessor has an internal logic to return to update password page if it sees the user's passwordReset flag as true.

public class MyAutoLogin implements AutoLogin
{
    @Override
    public String[] login(HttpServletRequest request, HttpServletResponse response) throws AutoLoginException
    {
        //Get user details from auto Login request params

        if (null == user.getPasswordModifiedDate())
        {
            user.setPasswordReset(true);
            return credentials;
        }
        return null;
    }

}

By returning credentials inside the if condition I ensured that Auto Login is enabled only for those users who have not changed their password even once post their account creation on Liferay.

Answer 2

How about an easier solution?

In your first email to the user, tell them that they can obtain such an autologin once they have signed on for the first time.

On the Liferay side, have a password policy that demands the password to be changed - or flag the user explicitly to change their password.

This way Liferay fully takes care of the user account handling, you don't risk missing some hole in the authentication (this is the one area that you don't want to mess up in), while still having all the benefits.

You can implement a custom portlet and place it on the user's personal page, or on any other page in the portal.

Answer 3

You can do it directly the AutoLogin class:

public class MyAutoLogin implements AutoLogin {
    @Override
    public String[] login(HttpServletRequest request, HttpServletResponse response) throws AutoLoginException {
        ...
        if(userShouldBeRedirected){
            response.sendRedirect(redirectUrl);
        }
    }
    //UPDATE
    return credentials;
}