Forcing user to change expired password in spring security

Question

I am building spring mvc and spring security based web based application.

I have implemented Reset Password functionality.System Administrator will reset password of

Answer 1

Quite late answer and I don't know if you're using Spring 2 or 3. But in Spring 3 you can do it this way.

Include the following in your Spring security context:

<bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
    <property name="exceptionMappings">
        <props>
            <prop key="org.springframework.security.authentication.CredentialsExpiredException">/change_password_page</prop>
        </props>
    </property>
    <property name="defaultFailureUrl" value="/login_generic_error_page"/>
</bean>

Of course you can map other specific authentication exceptions to other pages.

If you're using the form-login element, then you have to specify the authentication-failure-handler-ref attribute (and remove authentication-failure-url if used)

<security:form-login ... authentication-failure-handler-ref="securityExceptionTranslationHandler">

And final step is to create the change password page.

Keep in mind that the user is not authenticated when redirected to the change password page.

Answer 2

You can try subclassing SimpleUrlAuthenticationSuccessHandler and implement custom logic for checking password expiry. The reference to this SimpleUrlAuthenticationSuccessHandler could be passed to the form-login element in the application context.