I’m writing a java application which needs to perform an unusual login procedure. One of my problems is that the user needs to supply more than a simple username/password combination. Specifically, a username/password/domain combination is required.
Another problem is that my application enforces some password lifetime rules (eg: a password becomes invalid after 90 days). The authentication server that I use will refuse authentication when a password is expired and forces the user to choose a new one. Therefore my login process must be able to handle that.
Unfortunately the standard j_security_check servlet does not allow me to do any of that. Is there any way to create a custom and safe login procedure for a java web application.
Note: the problem with supplying the domain can be worked around by having users enter username\domain instead of just username in the j_username field and then let a custom realm decode that. This is however a bit kludgy and doesn’t solve the second problem anyway.
The JAAS security interface allows you to create a custom login module. This lobby module will allow you to have any security checking that you like. I suggest that you look at the information on JAAS.
Here are some of the links I used to help understand JAAS:
Also have a look at the Apache tomcat realms configuration how-to: