Show TOC Anfang des Inhaltsbereichs

Funktionsdokumentation Changing the User Password Dokument im Navigationsbaum lokalisieren

Use

The J2EE Engine provides a built-in mechanism for prompting a user to change his or her password upon application login. This mechanism can be used in cases when application users are created centrally (for example, a system administrator creates users in the central user store) and they must change the default password that was assigned by the system administrator.

Features

The password change takes place as part of the authentication process (the first time the user attempts to log in to the application). The appropriate login module uses com.sap.engine.lib.security.PasswordChangeCallback and sends it to the handle() method of the CallbackHandler class to get the new password information. Therefore, if you develop your own login module from scratch, you must ensure your code takes care of sending the PasswordChangeCallback to the CallbackHandler. If you enhance any of the existing template login modules provided with the J2EE Engine to develop your own login module, you do not have to worry about handling this situation yourself, since the template does it for you.

Default Password Change Form

Whenever the password change takes place when the user authenticates to a Web application, the Web Container provides a default servlet that generates the form in which the user must enter his or her new password. If the new password is entered and confirmed correctly, the Web Container changes the old one and lets the user proceed with the application. If the user fails to confirm the new password, he or she is not allowed to proceed with the request to the application.

For more information about the default servlet providing the password change page and the way it is invoked, see PasswordChangeForm Servlet.

Custom Password Change Form

You can provide a custom password change page with your Web application. To do this, you must develop the resource that generates this page (a servlet, a JSP, or plain HTML page) and declare and configure it in the deployment descriptors of your application.

In your password change form, you need to use the following SAP-specific input parameters:

·        j_sap_current_password to specify the current password;

·        j_sap_password to specify the new password;

·        j_sap_again to confirm the new password.

The form should use the SAP-specific sap_j_security_check action to handle the input parameters.

Hinweis

For security reasons, we recommend that you use the HTTP POST method to submit the parameters in your change password form page instead of the HTTP GET method.

Beispiel

The following simple HTML page is an example of a change password form using the appropriate action element and input parameters:

<html>

<body>

<form name="login" method="POST" action="sap_j_security_check">

  <table border="3" cellpadding="2" cellspacing="2" align="center">

  <tr>

    <th align="right">Current Password:</th>

    <td><input type="password" name="j_sap_current_password" size="20"></td>

  </tr>

  <tr>

    <th align="right">New Password:</th>

    <td><input type="password" name="j_sap_password" size="20"></td>

  </tr>

  <tr>

    <th align="right">Confirm New Password:</th>

    <td><input type="password" name="j_sap_again" size="20"></td>

  </tr>

  <tr align="center">

    <td colspan="2"><input type="submit" value="Change"></td>

  </tr>

  </table>

</form>

</body>

</html>

 

To make your custom password page available to the application, you need to define it in the <password-change-config> element in the web-j2ee-engine.xml deployment descriptor. For more information, see Configuring Authentication.

Hinweis

In case the password change form is implemented as a JSP or servlet, you must first declare it in the web.xml using the <servlet-name>and <servlet-class> tags.

 

Ende des Inhaltsbereichs