...
This is the standard jboss module. For jboss 5 add the following to the login-config.xml file
...
<application-policy
...
name="bwselfreg">
...
<authentication>
...
<login-module
...
code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
...
flag="required">
...
<module-option
...
name="dsJndiName">java:/selfregDS</module-option>
...
<module-option
...
name="principalsQuery">select
...
bw_pw
...
from
...
bw_accounts
...
where
...
bw_account=?
...
and
...
bw_enabled='T'</module-option>
...
<module-option
...
name="rolesQuery">select
...
bw_role,
...
'Roles'
...
from
...
bw_roles
...
where
...
bw_account=?</module-option>
...
<module-option
...
name="hashAlgorithm">SHA</module-option>
...
<module-option
...
name="hashEncoding">base64</module-option>
...
</login-module>
...
</authentication>
...
</application-policy>
Flow of messages
As usual with these we use a combination of web pages, captcha and email to try to produce a secure transaction. Fields of importance are the email, userid, a confirmation id (confid), current password (curPw), new password (newPw)
New unregistered user
- Go to register form.
- Fill in all the details.
- Submit
- New entry added with a new confid and timestamp.
- email sent to user with confirmation link
- user clicks on link
- account enabled
- response message sent
Forgot password
- Go to forgot password page
- Enter account + submit
- New confid set in entry
- email sent to user with confid
- user clicks link
- reaches page with usual details filled in - except password.
- submits - password updated - message sent
If a malevolent user starts the process they need not only the account but access to the users email.
Forgot Id
- Go to forgot id page (possibly the same page)
- Enter their email address.
- Email with userid sent to that email.
- If they don't know the password can use the forgot password.