Active Directory Authenticator & user must change password

Question

I’m trying to use the AD Authenticator in WLS 12.1.2 (JAAS container security) to handle the scenario where the user has been set to “must change password at next logon”, which I understand is set in the AD attribute pwdLastSet. If I set that to 0 for a particular user, and then attempt a login to my application, I get a ServletException on the javax.servlet.http.HttpServletRequest.login(username, password) method with a bundled generic FailedLoginException, but I don’t get any info regarding the cause. What I really need is the 773 error code from AD or something to indicate to my application code that this is why the request.login method has thrown an exception. Somehow we need to translate this into a javax.naming.AuthenticationException, which is what we would get if we did the LDAP bind manually with a new InitialContext. It seems a bit strange to have to manually bind to cater for alternate scenarios like this, while the container security handles the generic success scenario. Any ideas?

Answer 1

The solution was to write our own Authentication Provider & Login Module, so that we could ourselves bind to the AD with the user's credentials, which in turn allows us access to the exact NamingException. That exception contains the unique code for the bind failure (in our case 773), and then we're able to translate that into an appropriate LoginException subclass (in our case a CredentialExpiredException). Then in our web app, the request.login method receives the ServletException with the cause being our CredentialExpiredException, and we can redirect to the change password page accordingly.