This week's book giveaway is in the OO, Patterns, UML and Refactoring forum.
We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line!
See this thread for details.
The moose likes Security and the fly likes changing password after jaas login, update the Subject? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

JavaRanch » Java Forums » Engineering » Security
Bookmark "changing password after jaas login, update the Subject?" Watch "changing password after jaas login, update the Subject?" New topic

changing password after jaas login, update the Subject?

Busty Sinclair

Joined: Jun 06, 2002
Posts: 23
I have extended the JAAS UsernamePasswordLoginModule for my login. I have a console where I change the logged in users password. This results in the need to login again to do anything else, presumably cos the principal no longer matches whats in the DB.
So, can I get the Subject and update the relevant Principal or add a new Principal to the Subject with the new password? If so, how do I get the current Subject?
Any suggestions would be greatly appreciated
Dave Teare
Ranch Hand

Joined: Oct 09, 2002
Posts: 80
Hi Busty,
I don't think you are able to fiddle with the logged in principle in the manner you discuss. If you are using J2EE, and you expect this principle to be propagated to downstream servers, then you need to rely on the containers impl. For example, in WebSphere, an LTPA token is generated that contains the user id and password, and so in your example, once the password changes, the token becomes invalid, and WAS will likey throw an exception when trying to reestablish the credentials.
I would simply re-login the user by calling the LoginModule with the new userid and password. I've never done this before, but I would hope the LoginModule would overwrite the existing credentials. In fact, you could just call the JAAS logout first to ensure this happens.
Let me know what you think or how it turns out.
Busty Sinclair

Joined: Jun 06, 2002
Posts: 23
Hi Dave
Thanks for your reply. Sorry, I didn't give enough info there. I am using J2EE, JBoss3.0.6 bundled with Tomcat. I use FORM authentication to log in, as you may or may not know, when using FORM authentication, your form must submit to 'j_security_check' and the web.xml indicates which loginmodule to use, the underlying servlet the form submits to is not visible so I dont actually know what way to use the loginModule to login programmatically.
I know that theres something about populating a callback handler within the loginContext before calling the Modules Login function but I am not sure how to go about this.
I tried the following but it just told me the password was incorrect...which it wasn't so its not working but I've no idea why:

If you can point me in the right direction, I'd really appreciate it.
[ February 18, 2004: Message edited by: Busty Sinclair ]
I’ve looked at a lot of different solutions, and in my humble opinion Aspose is the way to go. Here’s the link:
subject: changing password after jaas login, update the Subject?
It's not a secret anymore!