Hi All
I would like to redirect a user to a password reset page on a expired login event using the PAS and a HybridRealm interface.
I can see that there is a GetAttribute method i can implement and when i return "T" for true on the call for ATTR_EXPIRED a 401 unauthorised is duly returned however how can i distinguish this 401 from another 401 i.e. invalid password or locked account?
Example:
METHOD PUBLIC CHARACTER GetAttribute (piUserid AS INTEGER, pcAttrName AS CHARACTER):
CASE pcAttrName:
WHEN "ATTR_ROLES":U THEN
RETURN "PSCUser":U .
WHEN "ATTR_ENABLED":U THEN
RETURN "T":U .
WHEN "ATTR_LOCKED":U THEN DO:
MESSAGE "ATTR_LOCKED".
RETURN "F":u.
END.
WHEN "ATTR_EXPIRED":U THEN DO:
MESSAGE "ATTR_EXPIRED".
RETURN "T":u.
END.
END.
RETURN "":U .
END METHOD .
Do you want to know internally or do you want to tell the client that it's401/Expired instead of 401/Locked ? For the former you could just write to a log , but I'm not sure the latter is possible or desirable, since you don't really want to tell a client that the user does exist (which is what 'expired' would do, along with the fact that that the password passed in was correct).
Do you want to know internally or do you want to tell the client that it's401/Expired instead of 401/Locked ? For the former you could just write to a log , but I'm not sure the latter is possible or desirable, since you don't really want to tell a client that the user does exist (which is what 'expired' would do, along with the fact that that the password passed in was correct).
You do not want to provide that level of detail to a client - always assuming any client is being used to mine information useful in an attempt to gain access to a user-account. That is why you generally see only 'login failed' and the options for 'forgotten user-id' and 'forgotten password'. Frustrates me often enough when I see those screens, but it is the prudent approach.
As Peter said, leaving behind a log for the help desk to reference is a good idea when assisting the client regain access to their account. It may assist in determining that the account was locked out, but not by the client themselves.
Hi [mention:9e4ee96fac634b8f91b580e1fb4f7e71:e9ed411860ed4f2ba0265705b8793d05]
You are quite correct this is not a good idea, however i did find a way to to do it by making a change to the PAS oeablSecuirty.properties file
# Turning this off makes the Client Principal filter responsible
OERealm.AuthProvider.sealClientPrincipal=true
With the above on, any errors thrown in your hybridrealm.cls bubble up to the 401 error page or JSON.
Christian.
An innovative solution, congratulations.
One side effect when turning off sealing by the HybridRealm, which I do not know whether it affects you or not. When the sealing of the C-P is delegated to the ClientPrincipalFilter - the session-id in the C-P is updated to the current HTTP session id. Sometimes that has no effect in your application - sometimes it does. Might be something for you to check and see if it impacts you or not.