Shibboleth Developers

[Pieter Vandepitte <>]

Hi,

 

I’m new to Shibboleth and I have a “design and implementation” question.

 

Here at K.U.Leuven we want to add following functionality to Shibboleth IdP v2.x:

 

After a user has logged in with username/password authentication we want to lookup some LDAP attrs to check if a user should change its credentials. E.g. x days after the last password change, the user gets an intermediate page with a warning that the user should change his/her password within y days, and after x+y days it should be impossible for that user to successfully log in. I have been looking into the documentation and source code of the username/password (JAAS) authentication and it seems that it’s not possible to configure such login “flow”.

 

My first idea was to write a chaining LoginHandler, but then the checks should occur before the user is authenticated (because the UsernamePasswordLoginServlet authenticates the user and immediately returns control to the AuthenticationEngine), which we don’t want to. Moreover it would be nice if the JAAS authentication would provide some hooks for JAAS Exceptions: JAAS provides some nice exceptions like AccountExpiredException, etc … and we would like to provide an appropriate error page for each exception (currently LoginException is catched and the reason for authentication failure is lost).

 

It seems the only solution is to rewrite the JAAS LoginHandler (or at least the Servlet), or does anyone have a brilliant idea?

 

Cheers,

 

Pieter

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm for more information.