Hello, In my project, we use Acegi Security with LDAP authentication, and we have to handle "Password Policy", so I developed some code to handle it.
As it seems to work, I would like to share it to Acegi community. So, what is the process for that ? I read http://www.acegisecurity.org/policies.html, but it seems that it is for "core" developers. Nonetheless, I think that (external) contribution must follow some rules... For example, what license the code must be released under ? Does Acegi need some kind of copyright transfer ? Or perhaps, that is not necessary for code that (might) go(es) to the sandbox ? Moreover, there is a problem with my code : I did not use any bit of existing code in sandbox for password policy (I discovered it as my code was already written). For now, the code is already available under ASF 2.0 here : http://forge.objectweb.org/project/showfiles.php?group_id=162 (package ldap-passwordpolicy-0.1.jar). The source code is available with svn at this adress : svn://svn.forge.objectweb.org/svnroot/interldap/acegi-ldap-passwordpolicy/tags/release-0.1 There is also a svn viewer, but it isn't synchronized : http://svn.forge.objectweb.org/cgi-bin/viewcvs.cgi/interldap/ If we are lucky, it should be done tomorrow. Quick description of the code : The code add the PasswordPolicy request control when a binding operation is required for authentication. It process the response, and there is 4 cases that are relevant for us : - bind error, account locked => throws Acegisecurity standard LockedException ; - bind error, password expired => throws Acegisecurity standard CredentialsExpiredException ; - bind ok, but the response control contains a warning "password will expire in x seconds" => add to the LdapUserDetails the control so that it may be processed by the application ; - bind ok, but the response control contains a warning "n graces remaining" => throws PasswordMustBeChangedException. Ok, its an authentication exception, but it seems to me that it is the best think to do, because the user _have_to_ change his password. Any other request to the LDAP directory will throw an exception, and in particular retrieving user details is impossible. With this exception, we signal to the application that the user have to change is password before doing anything else. Well, I'm not sure it is the best thing to do, and I will enjoy your commentaries :) -- Francois Armand Etudes & Développements J2EE Groupe Linagora - http://www.linagora.com Tél.: +33 (0)1 58 18 68 28 ----------- InterLDAP - http://interldap.org FederID - http://www.federid.org/ Open Source identities management and federation ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
