Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Username/Password Login

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Username/Password Login


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [Shib-Dev] Username/Password Login
  • Date: Fri, 03 Apr 2009 09:36:54 +0200
  • Openpgp:
  • Organization: SWITCH

The answer is the same for every other custom login process request. If
you want to do something custom you need to write a custom login
handler. Whether you choose to use JAAS or not, at the point, is up to you.

Pieter Vandepitte wrote:
> Hi,
>
> I'm new to Shibboleth and I have a "design and implementation" question.
>
> Here at K.U.Leuven we want to add following functionality to Shibboleth IdP
> v2.x:
>
> After a user has logged in with username/password authentication we want to
> lookup some LDAP attrs to check if a user should change its credentials.
> E.g. x days after the last password change, the user gets an intermediate
> page with a warning that the user should change his/her password within y
> days, and after x+y days it should be impossible for that user to
> successfully log in. I have been looking into the documentation and source
> code of the username/password (JAAS) authentication and it seems that it's
> not possible to configure such login "flow".
>
> My first idea was to write a chaining LoginHandler, but then the checks
> should occur before the user is authenticated (because the
> UsernamePasswordLoginServlet authenticates the user and immediately returns
> control to the AuthenticationEngine), which we don't want to. Moreover it
> would be nice if the JAAS authentication would provide some hooks for JAAS
> Exceptions: JAAS provides some nice exceptions like
> AccountExpiredException, etc ... and we would like to provide an
> appropriate error page for each exception (currently LoginException is
> catched and the reason for authentication failure is lost).
>
> It seems the only solution is to rewrite the JAAS LoginHandler (or at least
> the Servlet), or does anyone have a brilliant idea?
>
> Cheers,
>
> Pieter
>
>
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
>
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page