[jboss-user] [Beginner's Corner] - Re: How to allow application user to change password without forcing re-login?

[Patrick Garner]

Patrick Garner [https://community.jboss.org/people/pgarner] created the discussion

"Re: How to allow application user to change password without forcing re-login?"

To view the discussion, visit: https://community.jboss.org/message/773364#773364

--------------------------------------------------------------
I realize I probably can't programmatically update the principal's credentials.  It appears to me that JBoss security immediately becomes aware of the password change in the underlying database and attempts to reauthenticate the principal as soon as an EJB method is invoked, which fails because the principal's password has become stale.  With this in mind it appears that I can't even clean up state after changing the password because I've got to immediately end the session before any EJB methods are invoked!  There is some state to clean up including removing EJBs prior to killing the session that I would like to do...

So, how are others approaching implementing the change password feature?  I'm not seeing anything in the JEE or EJB spec. on how the container should treat an underlying password change in the database, and Google searches aren't returning any hits.
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/773364#773364]

Start a new discussion in Beginner's Corner at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2075]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20121101/e3f384ae/attachment.html