java spring security，如果登录用户被禁用，如何知道密码是不是错误

Posted 2023-02-27

【中文标题】java spring security，如果登录用户被禁用，如何知道密码是不是错误

【英文标题】：java spring security, if login user is disabled, how to know password is wrong or notjava spring security，如果登录用户被禁用，如何知道密码是否错误

【发布时间】：2013-04-27 09:14:39

【问题描述】：

**Login** in *spring security*, when user is disabled, i can't know the password is wrong or not.
please,tell me how.
[AbstractUserDetailsAuthenticationProvider][1]

春季安全：

AbstractUserDetailsAuthenticationProvider.authenticate()
 // (1) check disabled, if disabled, ***throw exception***
 preAuthenticationChecks.check(user);
 // (2)check password
 additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);

标题

(1)`public void check(UserDetails user) 
        if (!user.isAccountNonLocked()) 
            logger.debug("User account is locked");

            throw new LockedException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.locked",
                    "User account is locked"), user);
        

        if (!user.isEnabled()) 
            logger.debug("User account is disabled");

            throw new DisabledException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.disabled",
                    "User is disabled"), user);
        

        if (!user.isAccountNonExpired()) 
            logger.debug("User account is expired");

            throw new AccountExpiredException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.expired",
                    "User account has expired"), user);
        
    `

(2)`protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) 抛出 AuthenticationException 对象盐 = null;

    if (this.saltSource != null) 
        salt = this.saltSource.getSalt(userDetails);
    

    if (authentication.getCredentials() == null) 
        logger.debug("Authentication failed: no credentials provided");

        throw new BadCredentialsException(messages.getMessage(
                "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
    

    String presentedPassword = authentication.getCredentials().toString();

    if (!passwordEncoder.isPasswordValid(userDetails.getPassword(), presentedPassword, salt)) 
        logger.debug("Authentication failed: password does not match stored value");

        throw new BadCredentialsException(messages.getMessage(
                "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
    
`

【问题讨论】：

如果用户被禁用，为什么要检查密码？

@ArunPJohny 如果密码错误，返回登录页面；否则重定向用户激活页面

【参考方案1】：

处理此问题的一种方法是在登录页面中添加重定向

AuthenticationException ex = ((AuthenticationException) request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION));
if(ex instanceof DisabledException)
    //Send redirect

【讨论】：

如果密码错误，AuthenticationException 也是 DisabledException 的实例。

不，反之亦然，DisabledException 是AuthenticationException 的子类，错误的密码将给出另一个名为BadCredentialException 的子类

我的意思是当用户被禁用并输入错误的密码时，只会得到 DisabledException