*sigh* Not "Refreshable" and "Destroyable", but "Group" and "UserPrincipal"...
Mike At 11:25 AM 10/17/2012, Michael StJohns wrote: >This seems too specific to password based authentication. > >How about something like a "PrincipalAttributes" interface to go along with >Refreshable and Destroyable? > >Properties getAttributes(); > >define a few names: accountExpiration, passwordExpiration, lastLoginTime etc >and their default meanings. > >Do the login, grab the Subject, then grab the Principals, check for the >interface and then do the appropriate actions. > >You generally don't actually want to return data to the user such as the above >until AFTER you're authenticated, and doing this via a callback, by definition >is going to happen DURING authentication. > >Later, Mike > > > >At 01:44 AM 10/17/2012, Weijun Wang wrote: >>Ping again. >> >>On 08/17/2012 06:18 PM, Weijun Wang wrote: >>>Hi All >>> >>>I am working with an OpenJDK contributor (Steve Beaty) recently on this >>>feature. >>> >>>We often see messages like "Your password will expire in 5 days. Please >>>update ASAP" when we login to a system, and we are seeing if we could >>>also support this kind of alert in JAAS. >>> >>>We first starts with the Krb5LoginModule. In Kerberos, the KDC might >>>send a LastReq field in response to a ticket request. Normally, the >>>LastReq might contain: >>> >>>1. The time the password will expire >>>2. The time the account will expire. >>> >>>(It might contain other things like the last request time from the same >>>client, so the login module can show the user "Last login: Thu Aug 16 >>>19:44:55 2012". That's also how the field is named). >>> >>>Out current idea is to create a new kind of Callback, say, >>>PasswordExpirationCallback for a login module, if a password/account >>>expiration message is found in the LastReq field received, some >>>user-defined method can be called. >>> >>>However, we cannot decide on what argument we should provide to this >>>method. Certainly, just passing the LastReq field is not very good, >>>since it's keberos-specific. Passing only the password expiration time? >>>I'm not sure if the information is too little. >>> >>>Are you familiar with all other styles of password expiration warnings? >>>What kind of message is generalized enough and also contains enough info? >>> >>>Any suggestion welcomed. >>> >>>Thanks >>>Max
