wood burning stoves 2.0*
The moose likes Security and the fly likes changing password after jaas login, update the Subject? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "changing password after jaas login, update the Subject?" Watch "changing password after jaas login, update the Subject?" New topic
Author

changing password after jaas login, update the Subject?

Busty Sinclair
Greenhorn

Joined: Jun 06, 2002
Posts: 23
Hi
I have extended the JAAS UsernamePasswordLoginModule for my login. I have a console where I change the logged in users password. This results in the need to login again to do anything else, presumably cos the principal no longer matches whats in the DB.
So, can I get the Subject and update the relevant Principal or add a new Principal to the Subject with the new password? If so, how do I get the current Subject?
Any suggestions would be greatly appreciated
Dave Teare
Ranch Hand

Joined: Oct 09, 2002
Posts: 80
Hi Busty,
I don't think you are able to fiddle with the logged in principle in the manner you discuss. If you are using J2EE, and you expect this principle to be propagated to downstream servers, then you need to rely on the containers impl. For example, in WebSphere, an LTPA token is generated that contains the user id and password, and so in your example, once the password changes, the token becomes invalid, and WAS will likey throw an exception when trying to reestablish the credentials.
I would simply re-login the user by calling the LoginModule with the new userid and password. I've never done this before, but I would hope the LoginModule would overwrite the existing credentials. In fact, you could just call the JAAS logout first to ensure this happens.
Let me know what you think or how it turns out.
--Dave.
Busty Sinclair
Greenhorn

Joined: Jun 06, 2002
Posts: 23
Hi Dave
Thanks for your reply. Sorry, I didn't give enough info there. I am using J2EE, JBoss3.0.6 bundled with Tomcat. I use FORM authentication to log in, as you may or may not know, when using FORM authentication, your form must submit to 'j_security_check' and the web.xml indicates which loginmodule to use, the underlying servlet the form submits to is not visible so I dont actually know what way to use the loginModule to login programmatically.
I know that theres something about populating a callback handler within the loginContext before calling the Modules Login function but I am not sure how to go about this.
I tried the following but it just told me the password was incorrect...which it wasn't so its not working but I've no idea why:

If you can point me in the right direction, I'd really appreciate it.
Thanks
B
[ February 18, 2004: Message edited by: Busty Sinclair ]
 
wood burning stoves
 
subject: changing password after jaas login, update the Subject?
 
Similar Threads
Propagate security context with Jboss 5
JBoss Security Context propagation
JAAS to implement class level or method level Authorization in a Desktop App
JAAS Subjects, Principals
Problem with JAAS(WebApp) and EJB3.0 and Jboss 5.1.0.GA