Hi, I would like to use kerberos in conjunction with container managed security. I have configured a JAASRealm with Sun's kerberos LoginModule and a basic scenario works fine. I.e, if a user accesses a protected URL, he is challenged with a login screen. The user/password he enters is validated against the kerberos system correctly.
We now have a requirement to honor kerberos password policies, for example the "mandatory-password-change" flag. When set, the user gets a valid ticket but all he can do is change his password. I tried doing this via my standard configuration and the kerberos LoginModule throws an exception indicating the user must change his password but the tomcat form authentication logic seems to treat this as an invalid login and just redirects the user to the error page with no way for the application to differentiate this situation. Is it possible to honor kerberos password policies using JAAS and container managed security? I have looked through the source and the answer appears no. JAASRealm seems to catch various exceptions (e.g. AccountExpiredException) but in the end just returns null to FormAuthenticator as the authenticate() signature does not allow any checked exceptions to be thrown and the FormAuthenticator implementation doesn't seem to anticipate any runtime exceptions from this method. I would much prefer to use container managed security for the usual reasons but also to get (clustered) SSO support. Does anyone see something I missed or have any ideas? Can I use the standard SSO valve with application managed security somehow? Seems doubtful. Thanks. Kireet <[EMAIL PROTECTED]>