Grails + Acegi: How to handle password renewal ? Logged vs not logged user

Question

I'm writing a module to force a user whose password has expired to renew its password. This app uses the acegi security plugin. After the expired credentials are detected, the user is redirected to a "insert a new password" page. However, when the form is submitted, the auth action is executed, instead of the desired one (renewPassword).

I suspect that this happens because the user is not logged in, so I was wondering if there exists a better approach for this.

For example, letting the user log in, but disabling its account until he/she refreshes his password.

Is this the right way to go?

Update

Come to think about it, as acegi is doing all the "check for expired credentials" work, I wont be able to log the user in and then change it, as I get an CredentialsExpiredException at authentication fail. So is there a way to do this?

Answer 1

finally solved it the "easy, not programmatic , conf. file" way.

In SecurityConfig.groovy I added an entry to the requestMapString

/login/renewpassword = IS_AUTHENTICATED_ANONYMOUSLY

This way, the renewpassword action inside the loginController can be executed without having the user logged in.

Thanks everyone for your time.

Answer 2

I would suggest allowing the login, but setting a redirect flag in your code to push them to the password change page, so even if they try to change to another location in the site, it will push them back to the password change page. (I don't know how to code it in this language, as I've never used it, but it's how I would suggest to work around the seeming limitation)