java spring security,如果登录用户被禁用,如何知道密码是不是错误
Posted
技术标签:
【中文标题】java spring security,如果登录用户被禁用,如何知道密码是不是错误【英文标题】:java spring security, if login user is disabled, how to know password is wrong or notjava spring security,如果登录用户被禁用,如何知道密码是否错误 【发布时间】:2013-04-27 09:14:39 【问题描述】:**Login** in *spring security*, when user is disabled, i can't know the password is wrong or not.
please,tell me how.
[AbstractUserDetailsAuthenticationProvider][1]
春季安全:
AbstractUserDetailsAuthenticationProvider.authenticate()
// (1) check disabled, if disabled, ***throw exception***
preAuthenticationChecks.check(user);
// (2)check password
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
标题
(1)`public void check(UserDetails user)
if (!user.isAccountNonLocked())
logger.debug("User account is locked");
throw new LockedException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.locked",
"User account is locked"), user);
if (!user.isEnabled())
logger.debug("User account is disabled");
throw new DisabledException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.disabled",
"User is disabled"), user);
if (!user.isAccountNonExpired())
logger.debug("User account is expired");
throw new AccountExpiredException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.expired",
"User account has expired"), user);
`
(2)`protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) 抛出 AuthenticationException 对象盐 = null;
if (this.saltSource != null)
salt = this.saltSource.getSalt(userDetails);
if (authentication.getCredentials() == null)
logger.debug("Authentication failed: no credentials provided");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
String presentedPassword = authentication.getCredentials().toString();
if (!passwordEncoder.isPasswordValid(userDetails.getPassword(), presentedPassword, salt))
logger.debug("Authentication failed: password does not match stored value");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
`
【问题讨论】:
如果用户被禁用,为什么要检查密码? @ArunPJohny 如果密码错误,返回登录页面;否则重定向用户激活页面 【参考方案1】:处理此问题的一种方法是在登录页面中添加重定向
AuthenticationException ex = ((AuthenticationException) request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION));
if(ex instanceof DisabledException)
//Send redirect
【讨论】:
如果密码错误,AuthenticationException 也是 DisabledException 的实例。 不,反之亦然,DisabledException
是AuthenticationException
的子类,错误的密码将给出另一个名为BadCredentialException
的子类
我的意思是当用户被禁用并输入错误的密码时,只会得到 DisabledException以上是关于java spring security,如果登录用户被禁用,如何知道密码是不是错误的主要内容,如果未能解决你的问题,请参考以下文章
如何从 Spring Security 中的 java 代码登录用户?
Spring Security(Java Config)登录 - 根据用户角色返回不同的 URL
Spring mvc / security:从spring security中排除登录页面