Changing the password at the first login

[KremnevDmitry]

Summary

Added optional support for forcing a user to change their password at the next logon. The feature is opt-in and inert for applications whose user entity does not enable it.

What was done

• Introduced the @PasswordChangeRequired meta-annotation (module security) for a Boolean/boolean attribute on the application's user entity. Its presence activates the feature. A new PasswordChangeRequiredSupport bean reads and writes that flag; if no annotated attribute exists it is a full no-op.
• UserManager.resetPasswords(...) gained a resetPasswords(Set, boolean saveChanges, boolean requireChangeAtNextLogon) overload; the previous one- and two-argument methods now delegate with requireChangeAtNextLogon = true.
• The standard database user repository (AbstractDatabaseUserRepository, module security-data) clears the flag when a user changes their own password and sets it according to requireChangeAtNextLogon when passwords are reset.
• After login, a forced, non-dismissible ChangePasswordView dialog is shown while the flag is set (module security-flowui, via PasswordChangeRequiredViewListener). The admin ResetPasswordView got a "Require change at next logon" checkbox.
• Added changePasswordView to UiMinimalPolicies so any authenticated user is allowed to open the forced dialog.
• Project templates now ship a passwordChangeRequired attribute on the generated User entity plus the Liquibase column.

How it works

A ViewOpenedEvent listener checks the current user after login. If the annotated attribute is true, a modal ChangePasswordView opens and blocks interaction (Esc / outside-click disabled, no close button) until the password is changed; it cannot be bypassed via direct URL, and duplicate dialogs are guarded against. On success the flag is cleared in the database and on the cached principal, so later logins are unaffected. Applications without the annotation see no change.

How to use

Add a Boolean attribute to your User entity and annotate it with @PasswordChangeRequired (the standard project template now does this for new projects). Set it to true to force a change at the user's next logon — manually, or by resetting the user's password (the admin reset-password dialog sets it by default; UserManager.resetPasswords(users, saveChanges, requireChangeAtNextLogon) controls it programmatically).

Breaking changes

UserManager has a new abstract method resetPasswords(Set, boolean, boolean). Code that implements UserManager directly must implement it; applications extending AbstractDatabaseUserRepository are unaffected. Worth a release-note entry.

Compatibility: opt-in; existing applications whose user entity has no @PasswordChangeRequired attribute are unaffected.