My web (j2ee) application requires some complex login mechanism. Specifically:

    1. User must change the default password when they first login.
    2. Session time is 30 mins. User is prompted to login to continue the current work.
    3. User must change password for every 3 months.

  It seems it is absolutly impossible to adapt Oc4j build-in authentication mech to reach this purpose. We thought to use filters. However, not only do we have to write all the security stuff, but also we have difficult to reach the purpose 2. In addition, it is not integrated to J2EE server.

   Any idea will be helpful.

   Zhou

I have implemented these features before but the way forward is to buy them off the shelf. There are professional products out there which provide the features you speak of and more. Checkout Netegrity's Siteminder or IBM's Tivoli Access Manager - it'll save your company money in the long term.

Cheers

n.b. I dont work for any of the above companies :)