Shibboleth Developers

[Brent Putman <>]

On 4/26/11 3:57 PM, Khanna, Sumit (khannast) wrote:

>  
> 
> The Handler looks very basic. Even looking at the AbstractHandler, I
> don’t entirely understand how the username/password is passed to the
> JAAS provider,



The call to the JAAS framework is really in the
UsernamePasswordLoginServlet, not in the login handler, so that's where
you'd look to understand how the username and password are actually
being validated.  The login handler pretty much just redirects them to
the servlet.


> but it seems I was looking in the wrong place to do this
> type of expired password check anyway. I’d want to do it during the
> point where the bind actually occurs so I can read LDAP attributes and
> throw custom exceptions.



You could modify the JAAS provider to throw custom exceptions, or
something, but I don't think that's necessarily the only way to go.  You
could do all of the account validation and management things in the web
layer, by just doing an additional LDAP call from the servlet, using a
query with a privileged DN rather than the user's own credentials.  Part
of me would say that that is even more natural and might be a better
separate of concerns, since password expiration etc, doesn't really have
anything to do (directly) with the act of authenticating the user, which
is what JAAS is all about.

But I think modifying the JAAS provider or creating a new one could work
too.