I'm writing a module to force a user whose password has expired to renew its password. This app uses the acegi security plugin. After the expired credentials are detected, the user is redirected to a "insert a new password" page. However, when the form is submitted, the auth action is executed, instead of the desired one (renewPassword).
I suspect that this happens because the user is not logged in, so I was wondering if there exists a better approach for this.
For example, letting the user log in, but disabling its account until he/she refreshes his password.
Is this the right way to go?
Come to think about it, as acegi is doing all the "check for expired credentials" work, I wont be able to log the user in and then change it, as I get an CredentialsExpiredException at authentication fail. So is there a way to do this?
finally solved it the "easy, not programmatic , conf. file" way.
In SecurityConfig.groovy I added an entry to the requestMapString
/login/renewpassword = IS_AUTHENTICATED_ANONYMOUSLY
This way, the renewpassword action inside the loginController can be executed without having the user logged in.
Thanks everyone for your time.