Spring boot Spring Boot:如何告诉客户端帐户密码已过期?
我在控制器中有一个简单的登录表单和login()方法:Spring boot Spring Boot:如何告诉客户端帐户密码已过期?,spring-boot,jwt,Spring Boot,Jwt,我在控制器中有一个简单的登录表单和login()方法: @PostMapping("/login") public ResponseEntity<UserVO> login(@RequestBody UserVO userVO) { Authentication authentication = authenticationManager.authenticate( new UsernamePasswordAuthenticationToken(
@PostMapping("/login")
public ResponseEntity<UserVO> login(@RequestBody UserVO userVO) {
Authentication authentication = authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(
userVO.getUsername(),
userVO.getPassword()
)
);
SecurityContextHolder.getContext().setAuthentication( authentication );
// ...
return ResponseEntity.ok( loggedInUser );
}
当我将列password\u expiration的值设置为使用户密码过期时,Spring Boot的authenticationManager.authenticate()方法在下次登录尝试时抛出AccountExpiredException异常:
package org.springframework.security.authentication;
public class AccountExpiredException extends AccountStatusException {
public AccountExpiredException(String msg) {
super(msg);
}
public AccountExpiredException(String msg, Throwable t) {
super(msg, t);
}
}
JSON的响应是:
{
"timestamp":"2018-07-26T22:53:05.392+0000",
"status":401,
"error":"Unauthorized",
"message":"Unauthorized",
"path":"/login"
}
每当密码错误或UserVO的某个方法(它反过来实现UserDetails)返回false时,我都会得到相同的JSON响应(401错误代码):
boolean isAccountNonExpired();
boolean isAccountNonLocked();
boolean isCredentialsNonExpired();
boolean isEnabled();
到目前为止还不错
当用户登录并且密码过期时,我想将UI重定向到强制密码更改页面。但是怎么做呢?我总是得到相同的JSON响应
1) 由于返回的JSON输出总是HTTP 401错误,如何获得更细粒度的响应?(如何告知客户端代码密码已过期?)
2) 通知用户其帐户已锁定/过期/禁用通常被认为是好的做法还是坏的做法?(良好的用户体验与向黑客泄露帐户状态信息相比)也许不是最好的解决方案,但我通过设置“消息”字段解决了这个问题: 现在我得到的回答是:
{
"timestamp":"2018-07-27T12:54:53.097+0000",
"status":401,
"error":"Unauthorized",
"message":"credentials_expired",
"path":"/login"
}
@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint, Serializable {
@Override
public void commence(HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException) throws IOException {
String message = "Unauthorized";
if ( authException instanceof BadCredentialsException )
message = AUTH_CREDENTIALS_BAD;
else if ( authException instanceof CredentialsExpiredException )
message = AUTH_CREDENTIALS_EXPIRED;
else if ( authException instanceof LockedException )
message = AUTH_ACCOUNT_LOCKED;
else if ( authException instanceof DisabledException )
message = AUTH_ACCOUNT_DISABLED;
else if ( authException instanceof AccountExpiredException )
message = AUTH_ACCOUNT_EXPIRED;
response.sendError( HttpServletResponse.SC_UNAUTHORIZED, message );
}
}
{
"timestamp":"2018-07-27T12:54:53.097+0000",
"status":401,
"error":"Unauthorized",
"message":"credentials_expired",
"path":"/login"
}