Spring security JavaSpring安全，如果登录用户被禁用，如何知道密码是否错误_Spring Security

Spring security JavaSpring安全，如果登录用户被禁用，如何知道密码是否错误

spring-security

Spring security JavaSpring安全，如果登录用户被禁用，如何知道密码是否错误,spring-security,Spring Security,春季安全： **Login** in *spring security*, when user is disabled, i can't know the password is wrong or not. please,tell me how. [AbstractUserDetailsAuthenticationProvider][1] 标题（2） `protected void additionalAuthenticationChecks（UserDetails UserDetails，

春季安全：

**Login** in *spring security*, when user is disabled, i can't know the password is wrong or not.
please,tell me how.
[AbstractUserDetailsAuthenticationProvider][1]

标题（2） `protected void additionalAuthenticationChecks（UserDetails UserDetails， UsernamePasswordAuthenticationToken身份验证）引发AuthenticationException{ 对象salt=null

(1)`public void check(UserDetails user) {
        if (!user.isAccountNonLocked()) {
            logger.debug("User account is locked");

            throw new LockedException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.locked",
                    "User account is locked"), user);
        }

        if (!user.isEnabled()) {
            logger.debug("User account is disabled");

            throw new DisabledException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.disabled",
                    "User is disabled"), user);
        }

        if (!user.isAccountNonExpired()) {
            logger.debug("User account is expired");

            throw new AccountExpiredException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.expired",
                    "User account has expired"), user);
        }
    }`

}

}处理此问题的一种方法是在登录页面中添加重定向

    if (this.saltSource != null) {
        salt = this.saltSource.getSalt(userDetails);
    }

    if (authentication.getCredentials() == null) {
        logger.debug("Authentication failed: no credentials provided");

        throw new BadCredentialsException(messages.getMessage(
                "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
    }

    String presentedPassword = authentication.getCredentials().toString();

    if (!passwordEncoder.isPasswordValid(userDetails.getPassword(), presentedPassword, salt)) {
        logger.debug("Authentication failed: password does not match stored value");

        throw new BadCredentialsException(messages.getMessage(
                "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
    }
}`

如果用户被禁用，为什么要检查密码？@ArunPJohny如果密码错误，返回登录页面；else重定向用户激活页面如果密码错误，AuthenticationException也是DisabledException的实例。不，这是另一种方式，

DisabledException

是

AuthenticationException

的子类，错误的密码将给出另一个名为

BadCredentialException

的子类。我的意思是，当用户被禁用并输入错误的密码时，只会得到DisabledException

    if (this.saltSource != null) {
        salt = this.saltSource.getSalt(userDetails);
    }

    if (authentication.getCredentials() == null) {
        logger.debug("Authentication failed: no credentials provided");

        throw new BadCredentialsException(messages.getMessage(
                "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
    }

    String presentedPassword = authentication.getCredentials().toString();

    if (!passwordEncoder.isPasswordValid(userDetails.getPassword(), presentedPassword, salt)) {
        logger.debug("Authentication failed: password does not match stored value");

        throw new BadCredentialsException(messages.getMessage(
                "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
    }
}`

AuthenticationException ex = ((AuthenticationException) request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION));
if(ex instanceof DisabledException){
    //Send redirect
}