I implemented a JDBC realm form authentication at my Tomcat instance. User names and their roles are stored in a database tables and administrator should assign a permanent passwords for users. Is it possible to ask user change the password on the first attempt to log in, so that passwords were not prescribed by administrator but could be generated by users themselves?
I guess you have to implement this yourself. You could for instance add an extra column isPassWordSet
to the user table, with default value false
. Then, after a user logs in for the first time, using the password provided by the administrator, redirect to a page where he or she must provide their own password, allowing only users with isPasswordSet=true
to the rest of the application. Once the user has finished this step, provided the supplied password is deemed valid, set isPasswordSet
to true
and one may proceed.