Spring security JavaSpring安全,如果登录用户被禁用,如何知道密码是否错误
春季安全:Spring security JavaSpring安全,如果登录用户被禁用,如何知道密码是否错误,spring-security,Spring Security,春季安全: **Login** in *spring security*, when user is disabled, i can't know the password is wrong or not. please,tell me how. [AbstractUserDetailsAuthenticationProvider][1] 标题 (2) `protected void additionalAuthenticationChecks(UserDetails UserDetails,
**Login** in *spring security*, when user is disabled, i can't know the password is wrong or not.
please,tell me how.
[AbstractUserDetailsAuthenticationProvider][1]
标题
(2) `protected void additionalAuthenticationChecks(UserDetails UserDetails,
UsernamePasswordAuthenticationToken身份验证)引发AuthenticationException{
对象salt=null
(1)`public void check(UserDetails user) {
if (!user.isAccountNonLocked()) {
logger.debug("User account is locked");
throw new LockedException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.locked",
"User account is locked"), user);
}
if (!user.isEnabled()) {
logger.debug("User account is disabled");
throw new DisabledException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.disabled",
"User is disabled"), user);
}
if (!user.isAccountNonExpired()) {
logger.debug("User account is expired");
throw new AccountExpiredException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.expired",
"User account has expired"), user);
}
}`
}
}处理此问题的一种方法是在登录页面中添加重定向
if (this.saltSource != null) {
salt = this.saltSource.getSalt(userDetails);
}
if (authentication.getCredentials() == null) {
logger.debug("Authentication failed: no credentials provided");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
}
String presentedPassword = authentication.getCredentials().toString();
if (!passwordEncoder.isPasswordValid(userDetails.getPassword(), presentedPassword, salt)) {
logger.debug("Authentication failed: password does not match stored value");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
}
}`
如果用户被禁用,为什么要检查密码?@ArunPJohny如果密码错误,返回登录页面;else重定向用户激活页面如果密码错误,AuthenticationException也是DisabledException的实例。不,这是另一种方式,
DisabledException
是AuthenticationException
的子类,错误的密码将给出另一个名为BadCredentialException
的子类。我的意思是,当用户被禁用并输入错误的密码时,只会得到DisabledException
if (this.saltSource != null) {
salt = this.saltSource.getSalt(userDetails);
}
if (authentication.getCredentials() == null) {
logger.debug("Authentication failed: no credentials provided");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
}
String presentedPassword = authentication.getCredentials().toString();
if (!passwordEncoder.isPasswordValid(userDetails.getPassword(), presentedPassword, salt)) {
logger.debug("Authentication failed: password does not match stored value");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
}
}`
AuthenticationException ex = ((AuthenticationException) request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION));
if(ex instanceof DisabledException){
//Send redirect
}