Changing password using Spring security

Question

I use,

• Spring Framework 4.0.0 RELEASE (GA)
• Spring Security 3.2.0 RELEASE (GA)
• Struts 2.3.16

in which I use,

o         


        

Answer 1

A method to change the password is a good solution, as there is no special functionality for this in spring security.

The reason why no special functionality exists for this in spring security, is that it's not needed if using a session.

The user's current session identified by the JSESSIONID cookie is still residing in the user's browser and will still be a valid session after the password change.

When the old password was checked the last time the user logged in, a cookie was generated and kept in a map of valid cookies in memory.

The temporary authentication token (the cookie) is still valid and has a max. lifetime, and changing the password on the database will not impact the current session validity.

Answer 2

I agree with the answer @jhadesdev;

Note that by calling Spring's JdbcUserDetailsManager.changePassword(), Spring updates the context-holder, plus updates the DB with the new password.

Spring does not handle the cookie, since it does not force your app to be a web application. so I guess if that is the case, a higher level layer in your app should update the session.

PS - out of curiosity - how did you implement the registration flow, and forgot password flow, etc? Spring does not handle this either. I have written a project that takes care of these flows...