Managing Credentials

Although the DefaultCredentialHandler provides fine-grained management of credentials, it cannot provide direct feedback to the user like presenting a warning that the current password is soon to be expired. But, special request processing pipeline valves provided with jetspeed allow to do just that.

The configuration for these valves can be found and set in the pipelines.xml spring configuration file.


The LoginValidationValveImpl provides feedback to the user about the cause of an failed login attempt.

It retrieves the UserPrincipal and its current PasswordCredential for the specified user name, and (if found) determines an specific error code based on its state. This error code is communicated back to through the session so an appropriate error message can be presented to the user.

The following possible error codes can be returned (all defined in the LoginConstants interface):


Of the above error codes, the ERROR_FINAL_LOGIN_ATTEMPT will only be reported if the valve is configured with the same maxNumberOfAuthenticationFailures value as used for the related MaxPasswordAuthenticationFailuresInterceptor described above:

  <bean id="loginValidationValve"
    <!-- maxNumberOfAuthenticationFailures
         This value should be in sync with the value for
         (if used) to make sense.
         Any value < 2 will suppress the LoginConststants.ERROR_FINAL_LOGIN_ATTEMPT
         error code when only one last attempt is possible before the credential
         will be disabled after the next authentication failure.
    <constructor-arg index="0"><value>3</value></constructor-arg>  


The PasswordCredentialValveImpl is meant to be used together with a special Portlet on a special Portal Page (PSML) to automatically request or even require a user to change its password.

This valve evaluates PasswordCredential.isUpdateRequired() and optionally the expirationDate, lastAuthenticationDate and previousAuthenticationDate fields to determine if a user is required or just be asked to change its password.

This valve can optionally be configured with a list of expirationWarningDays numbers in its constructor:

<bean id="passwordCredentialValve"
   <!-- expirationWarningDays -->
These numbers each represent a day before the current expirationDate of the password credential when a user should be warned its password is soon to expire and be asked to change it. The lastAuthenticationDate and the previousAuthenticationDate are used to determine when this should happen. It will be done only once for each configured expirationWarningDay. If a user logs on for the first time (after several days) with the above example configuration, 6 days before the password expires, he or she will be warned about it. And again when 3 or 2 days are left.

When a user logs on the last day before the password expires or when updateRequired is true, the user will be required to change the password, regardless if expirationWarningDays are configured or not.

To be able to automatically provide the user with this information and allow or require the password to be changed directly after login, a special ProfileLocatorSECURITY_LOCATOR is used. The PageProfilerValve (which should be configed after this valve in the pipeline) will then use this enforced locator to be used to find the related portal page to present to the user.

For this to work, a "security" Profiler rule must have been setup like the default one provided by Jetspeed:

As can seen from the above image, the default page which will be presented to the user is the /my-account.psml located in the root.

This default page contains only one portlet, the ChangePasswordPortlet from the security Portlet Application.

The ChangePasswordPortlet works together with the PasswordCredentialValveImpl as it checks for the PASSWORD_CREDENTIAL_DAYS_VALID_REQUEST_ATTR_KEY request parameter which will be set by this valve with the number of days the password is still valid. For a required password change this will be set to Integer(0).

The default my-account.psml page contains only the ChangePasswordPortlet to make sure a user which is required to change the password cannot interact with the portal any other way then after the password is changed.

Although the user might be attempted to select a link to a different page (from a portal menu for exampl), this valve will make sure only the configured "security" locator page is returned if it is required. But, once the password is changed the then targeted page in the url will be navigated to automatically.