'Jdbc realm and password expiration/lock
In a legacy jsf application authentication and authorization is implemented using a JDBC realm.
Authentication is done in the following way:
HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();
request.login(username, secret);
Authorization is performed cheking user roles:
facesContext.externalContext.isUserInRole('restrictedRole')
Perhaps Jdbc realm is not as flexible as other frameworks but it was sufficient to our needs.
Now there is the requirement to handle password expiration and user lock when authentication fails too many times consecutively. Jdbc realm doesn't support this scenario so it must be implemented. I found this old question on Stackoverflow but it is not very useful.
I have some doubts on the correct workflow. Don't know when to check for password expiration , if I perform it after calling
request.login(username, secret);
the user is already authenticated and can freely access all the pages he is authorized. May be I can add a filter which redirects to the change password page if he tried to jump over it, but I would need some help.
Otherwise I could check password expiration reading the username'data before authentication but there is a potential security risk I cannot evaluate correctly. This way, when password is expired, I cannot validate credentials (username and password) before redirecting the user to the change password page.
Which are the best practises ? Do I check password expiration before or after validating the user credentials (both username and password) ?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|