Fatal编程技术网
  • spring-boot/
  • Spring boot Spring Boot:如何告诉客户端帐户密码已过期?

Spring boot Spring Boot:如何告诉客户端帐户密码已过期?

spring-boot jwt

Spring boot Spring Boot:如何告诉客户端帐户密码已过期?,spring-boot,jwt,Spring Boot,Jwt,我在控制器中有一个简单的登录表单和login()方法: @PostMapping("/login") public ResponseEntity<UserVO> login(@RequestBody UserVO userVO) { Authentication authentication = authenticationManager.authenticate( new UsernamePasswordAuthenticationToken(

我在控制器中有一个简单的登录表单和login()方法:

@PostMapping("/login")
public ResponseEntity<UserVO> login(@RequestBody UserVO userVO) {

    Authentication authentication = authenticationManager.authenticate(
            new UsernamePasswordAuthenticationToken(
                    userVO.getUsername(),
                    userVO.getPassword()
            )
    );

    SecurityContextHolder.getContext().setAuthentication( authentication );

    // ...
    return ResponseEntity.ok( loggedInUser );
}
当我将列password\u expiration的值设置为使用户密码过期时,Spring Boot的authenticationManager.authenticate()方法在下次登录尝试时抛出AccountExpiredException异常:

package org.springframework.security.authentication;

public class AccountExpiredException extends AccountStatusException {
    public AccountExpiredException(String msg) {
        super(msg);
    }

    public AccountExpiredException(String msg, Throwable t) {
        super(msg, t);
    }
}
JSON的响应是:

{
"timestamp":"2018-07-26T22:53:05.392+0000",
"status":401,
"error":"Unauthorized",
"message":"Unauthorized",
"path":"/login"
}
每当密码错误或UserVO的某个方法(它反过来实现UserDetails)返回false时,我都会得到相同的JSON响应(401错误代码):

boolean isAccountNonExpired();

boolean isAccountNonLocked();

boolean isCredentialsNonExpired();

boolean isEnabled();
到目前为止还不错

当用户登录并且密码过期时,我想将UI重定向到强制密码更改页面。但是怎么做呢?我总是得到相同的JSON响应

1) 由于返回的JSON输出总是HTTP 401错误,如何获得更细粒度的响应?(如何告知客户端代码密码已过期?)

2) 通知用户其帐户已锁定/过期/禁用通常被认为是好的做法还是坏的做法?(良好的用户体验与向黑客泄露帐户状态信息相比)

也许不是最好的解决方案,但我通过设置“消息”字段解决了这个问题:

现在我得到的回答是:

{
   "timestamp":"2018-07-27T12:54:53.097+0000",
   "status":401,
   "error":"Unauthorized",
   "message":"credentials_expired",
   "path":"/login"
}

@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint, Serializable {

    @Override
    public void commence(HttpServletRequest request,
                         HttpServletResponse response,
                         AuthenticationException authException) throws IOException {

        String message = "Unauthorized";
        if ( authException instanceof BadCredentialsException )
            message = AUTH_CREDENTIALS_BAD;
        else if ( authException instanceof CredentialsExpiredException )
            message = AUTH_CREDENTIALS_EXPIRED;
        else if ( authException instanceof LockedException )
            message = AUTH_ACCOUNT_LOCKED;
        else if ( authException instanceof DisabledException )
            message = AUTH_ACCOUNT_DISABLED;
        else if ( authException instanceof AccountExpiredException )
            message = AUTH_ACCOUNT_EXPIRED;

        response.sendError( HttpServletResponse.SC_UNAUTHORIZED, message );
    }
}

{
   "timestamp":"2018-07-27T12:54:53.097+0000",
   "status":401,
   "error":"Unauthorized",
   "message":"credentials_expired",
   "path":"/login"
}