Show TOC Start of Content Area

Function documentation Changing the User Password  Locate the document in its SAP Library structure

Use

The J2EE Engine provides a built-in mechanism for prompting a user to change his or her password upon application login. This mechanism can be used in cases when application users are created centrally (for example, a system administrator creates users in the central user store) and they must change the default password that was assigned by the system administrator.

Features

Default Password Change Form

Whenever the password change takes place when the user authenticates to a Web application, the Web Container provides a default servlet that generates the form in which the user must enter his or her new password. If the new password is entered and confirmed correctly, the Web Container changes the old one and lets the user proceed with the application. If the user fails to confirm the new password, he or she is not allowed to proceed with the request to the application.

For more information about the default servlet providing the password change page and the way it is invoked, see PasswordChangeForm Servlet.

Custom Password Change Form

You can provide a custom password change page with your Web application. To do this, you must develop the resource that generates this page (a servlet, a JSP, or plain HTML page) and declare and configure it in the deployment descriptors of your application.

In your password change form, you need to use the following SAP-specific input parameters:

     j_sap_current_password to specify the current password;

     j_sap_password to specify the new password;

     j_sap_againto confirm the new password.

The form should use the SAP-specific sap_j_security_check action to handle the input parameters.

Note

For security reasons, we recommend that you use the HTTP POST method to submit the parameters in your change password form page instead of the HTTP GET method.

Example

The following simple HTML page is an example of a change password form using the appropriate action element and input parameters:

<html>

<body>

<form name="login" method="POST" action="sap_j_security_check">

  <table border="3" cellpadding="2" cellspacing="2" align="center">

  <tr>

    <th align="right">Current Password:</th>

    <td><input type="password" name="j_sap_current_password" size="20"></td>

  </tr>

  <tr>

    <th align="right">New Password:</th>

    <td><input type="password" name="j_sap_password" size="20"></td>

  </tr>

  <tr>

    <th align="right">Confirm New Password:</th>

    <td><input type="password" name="j_sap_again" size="20"></td>

  </tr>

  <tr align="center">

    <td colspan="2"><input type="submit" value="Change"></td>

  </tr>

  </table>

</form>

</body>

</html>

 

To make your custom password page available to the application, you need to define it in the <password-change-config> element in the web-j2ee-engine.xml deployment descriptor. For more information, see Configuring Authentication.

Note

In case the password change form is implemented as a JSP or servlet, you must first declare it in the web.xml using the <servlet-name> and <servlet-class> tags.

 

End of Content Area