This section describes the features that allow you to force passwords to expire periodically or all at the same time.
The password expiration feature allows you to require users to change their passwords after a specified period of time, for example 90 or 120 days.
Enabling Password Expiration
Password expiration is disabled by default. Password expiration must be enabled to either require regular password changes, or force password expiration on all users.
To enable password expiration
Override or edit the properties file at
/atg/userprofiling/ExpiredPasswordService
and setenabled=true
.Add a change password JSP or JHTML page to your sites. This is the form that users are redirected to when it is determined that their password is expired. This can be done using the ACC page template wizard.
Configure the
ExpiredPasswordService.redirectPath
property to point to the change password JSP/JHTML page you created.Optionally, configure the
ExpiredPasswordService.passwordValidForNumDays
property to the value of the number of days a password remains valid.
ATG recommends that the change password page be completely static HTML. Once it has been determined that the user’s password has expired, all requests passing through the servlet pipeline are redirected to the URL in the redirectPath
property. Any linked elements in the change password page, such as links to CSS files or images, must be explicitly set in the /atg/dynamo/servlet/pipeline/ExpiredPasswordServlet.localUrlsToAllow
property in order for the page to render correctly. Note that you do not need to list page includes using dsp:include
and jsp:include
tags in localUrlsToAllow
; these bypass the redirect. An example follows:
localUrlsToAllow=/templates/style/css/style1.jsp ,
/templates/style/css/style2.jsp
Password Expiration Process
Password expiration works as follows:
After a user successfully completes the login process, the
ProfileFormHandler
calls the/atg/userprofiling/ExpiredPasswordService
component to determine if the user’s password is expired.This component adds the value of the
passwordValidForNumDays
property in theExpiredPasswordService
component to the profile’slastPasswordUpdate
. The result is the date through which the password is valid. If thelastPasswordUpdate
value is null, it sets the property to 1/1/1970.The component compares the result to the current date. If the current date is after the result, it marks the password as expired by setting a the
passwordexpired
session variable totrue
.The
ExpiredPasswordServlet
checks thepasswordexpired
session variable. If true, it redirects the user to the change password form URL defined in theExpiredPasswordService.redirectPath
property.When the user submits the change password form successfully, the
passwordexpired
session variable is set to false. ThelastPasswordUpdate
property is set to the current timestamp and persisted.The user can then browse the site as usual.
If the user leaves the site before completing the change password form successfully, the session times out. The password expiration process is repeated the next time the user logs in.
Example 1:
passwordValidForNumDays = 90
lastPasswordUpdate in Jim's profile = 01/01/2005
today's date = 03/17/2005
passwordValidForNumDays + lastPasswordUpdate = 01/04/2005
, which is after today’s date. The passwordexpired
session variable is set to false
for Jim’s current session.
Example 2:
passwordValidForNumDays = 90
lastPasswordUpdate in Jim's profile = 01/01/2005
today's date = 05/17/2005
passwordValidForNumDays + lastPasswordUpdate = 01/04/2005
, which is before today’s date. The passwordexpired
session variable is set to true
for Jim’s profile.
Forcing All Passwords to Expire
As well as configuring passwords to expire individually according to the date of the last change, you can force all passwords in the profile repository to expire on the same date. To do so, set the forcePasswordUpdateTimeStamp
property in the /atg/userprofiling/ExpiredPasswordService
component to the date when you want the passwords to expire. The property is a timestamp that is set to 01/01/2000 by default. All users will be prompted to change their passwords the first time they log in after the specified date.
To expire all passwords immediately and force all users to change their passwords the next time they log in, set the value to the current date.
Setting the forcePasswordUpdateTimeStamp
value to a date in the future schedules all passwords to expire on that date.
The examples below are all valid formats for specifying the property value:
04/23/2007 4:45
April 23 2007
April 23 2007 4pm
23 April 2007 16:45
Forced password expiration works as follows:
After a user successfully completes the login process, the
ProfileFormHandler
calls the/atg/userprofiling/ExpiredPasswordService
component, which compares theforcePasswordUpdateTimestamp
value to thelastPasswordUpdate
property in the user’s profile.If the force update value is after the last password update and before the current date, the password is marked as expired, and the process for having the user change the password is initiated. See the Password Expiration Process section for details.
Example 1:
forcePasswordUpdate = 04/04/2005
lastPasswordUpdate in Maria's profile = 02/15/2004
today's date = 05/17/2005
The force update value is after the last password update and also before today’s date, so the passwordexpired
session variable is set to true for Maria’s current session.
Example 2:
forcePasswordUpdate = 04/04/2005
lastPasswordUpdate in Maria's profile = 04/15/2004
today's date = 05/17/2005
The force update value is before the last password update, so the passwordexpired
session variable is not set for Maria’s current session.
Notifying Users of Impending Expiration
You can include the PasswordExpiresSoon
droplet on a page to notify users when their password is about to expire.
This droplet can be found and configured at /atg/dynamo/droplet/PasswordExpiresSoon
. The displayCount
setting determines how many times per session the password expiration notification is shown to the customer logging in.
The droplet form is:
<dsp:droplet name="/atg/userprofiling/PasswordExpiresSoon"> <dsp:param name="login" bean="/atg/userprofiling/Profile.login"/> <dsp:oparam name="soontoexpiremessage"> <p>Password will expire in <dsp:valueof param="daysUntilExpired"> </dsp:valueof> days. <p>Change password form here : <dsp:valueof param="changePwdLocalUrl"></dsp:valueof> <br /> </dsp:oparam> </dsp:droplet>