Spring Security：抛出LockedException而不是BadCredentialsException，为什么？ [英] Spring Security : LockedException is thrown instead of BadCredentialsException, why?

问题描述

使用Spring Security 4.0.2.RELEASE

Using Spring Security 4.0.2.RELEASE

使用spring-security框架进行基本用户身份验证，我实现了spring-security DaoAuthenticationProvider

For basic user authentication using spring-security framework, I implemented spring-security DaoAuthenticationProvider

当用户尝试使用正确的用户名登录时，不正确密码和用户的帐户已被锁定，然后我预计spring-security身份验证模块将抛出 BadCredentialsException 但是它会抛出 LockedException

When user tries to login with correct username, incorrect password and user's account is already locked, then i expected that spring-security authentication module would be throwing BadCredentialsException But instead it throws LockedException

我的问题是

1. 为什么spring-security正在处理用户进行进一步的身份验证而凭证特殊密码不正确？


2. 在应用程序中显示用户被锁定的消息即使密码也是一种好习惯对于用户无效？


3. 如何为无效密码和锁定用户设置生成/捕获 BadCredentialsException ？

1. why spring-security is processing the user for further authentication while the credentials specially password is incorrect ?
2. Is it good practice to show message in application that "User is Locked" even if the password for the user is invalid ?
3. How do i manage to generate/catch BadCredentialsException for invalid password and locked user ?

任何帮助将不胜感激。身份验证提供程序实现代码是

Any help would be appreciated. Authentication Provider implementation code is

@Component("authenticationProvider")
public class LoginAuthenticationProvider extends DaoAuthenticationProvider {

    @Autowired
    UserDAO userDAO;

    @Autowired
    @Qualifier("userDetailsService")
    @Override
    public void setUserDetailsService(UserDetailsService userDetailsService) {
        super.setUserDetailsService(userDetailsService);
    }

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        try {
            Authentication auth = super.authenticate(authentication);
            // if reach here, means login success, else exception will be thrown

            // reset the user attempts
            userDAO.resetPasswordRetryAttempts(authentication.getName());

            return auth;
        } catch (BadCredentialsException ex) {
            // invalid login, update user attempts
            userDAO.updatePasswordRetryAttempts(authentication.getName(), PropertyUtils.getLoginAttemptsLimit());
            throw ex;
        } catch (LockedException ex) {
            // this user is locked
            throw ex;
        } catch (AccountExpiredException ex) {
            // this user is expired
            throw ex;
        } catch (Exception ex) {
            ex.printStackTrace();
            throw ex;
        }
    }

}

推荐答案

您问过：

Spring Security：抛出LockedException而不是BadCredentialsException，为什么？

Spring Security : LockedException is thrown instead of BadCredentialsException, why?

这是因为Spring security会首先检查该帐户是否存在且有效，然后检查密码。

It is because spring security will first check that the account exist and is valid, and after that it checks the password.

更具体：它是在 AbstractUserDetailsAuthenticationProvider.authenticate 中完成的。在非常简短描述中，该方法以这种方式工作：

More concrete: it is done in AbstractUserDetailsAuthenticationProvider.authenticate. In an very brief description the method works this way:

user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
...
preAuthenticationChecks.check(user);
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
...
postAuthenticationChecks.check(user);

• retrieveUser - 加载用户


• preAuthenticationChecks.check（用户）; - DefaultPreAuthenticationChecks ：检查锁定...


• additionalAuthenticationChecks - 检查密码


• postAuthenticationChecks.check（user）; - DefaultPostAuthenticationChecks 检查未过期的凭据


• retrieveUser - load the user
• preAuthenticationChecks.check(user); - DefaultPreAuthenticationChecks: check for locked...
• additionalAuthenticationChecks - checks the password
• postAuthenticationChecks.check(user); - DefaultPostAuthenticationChecks check for not expired credentials

好处是， preAuthenticationChecks 和 postAuthenticationChecks 是对接口的引用 UserDetailsChecker 以便您可以更改它们。只需实现你自己的两个 UserDetailsChecker ，一个用于pre的Null-Implementation，一个用于检查所有内容的帖子：

The good point is, that preAuthenticationChecks and postAuthenticationChecks are references to the Interface UserDetailsChecker so you can change them. Just implement your own two UserDetailsChecker, the one Null-Implementation for pre, and one for post that checks everything:



• ！user.isAccountNonLocked（）


• ！user.isEnabled（）


• ！user.isAccountNonExpired（）


• ！user.isCredentialsNonExpired（）


• !user.isAccountNonLocked()
• !user.isEnabled()
• !user.isAccountNonExpired()
• !user.isCredentialsNonExpired()

这篇关于Spring Security：抛出LockedException而不是BadCredentialsException，为什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！