The AuthenticationInfo contains two things: Principals and Credentials. The credentials are only used to verify identity. But all of the principals across all realms are aggregated into the Subject and are available as Subject.getPrincipals(), so anything you put in the principals can be accessed later on. You could have one of those principals represent the data indicating to ask them to update their password.
Another easy approach is to just put that flag/token/whatever in the session (Subject.getSession()), check it after log-in, and if present, redirect them to the reset password page. Then remove the token from the session once they've updated their password. That could probably work as well. How about those two approaches? - Les On Tue, May 4, 2010 at 4:13 PM, Henry Suryawirawan <[email protected]> wrote: > > hmm yeah that might work. > however, the user has the option of continuing using the system without > updating the password. > i think it would then break the logic, since subsequent login will also > throw the ExpiredPasswordException. > > do you have any other idea how to solve this problem? > > btw, is it confirmed that we cannot retrieve the AuthenticationInfo from a > Subject? > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Get-AuthenticationInfo-From-Subject-tp5003710p5006311.html > Sent from the Shiro User mailing list archive at Nabble.com. >
