I implemented a JDBC realm form authentication at my Tomcat instance. User names and their roles are stored in a database tables and administrator should assign a permanent passwords for users. Is it possible to ask user change the password on the first attempt to log in, so that passwords were not prescribed by administrator but could be generated by users themselves?
I guess you have to implement this yourself. You could for instance add an extra column isPassWordSet to the user table, with default value false. Then, after a user logs in for the first time, using the password provided by the administrator, redirect to a page where he or she must provide their own password, allowing only users with isPasswordSet=true to the rest of the application. Once the user has finished this step, provided the supplied password is deemed valid, set isPasswordSet to true and one may proceed.