Spring Security:抛出LockedException而不是BadCredentialsException,为什么? [英] Spring Security : LockedException is thrown instead of BadCredentialsException, why?
问题描述
使用Spring Security 4.0.2.RELEASE
Using Spring Security 4.0.2.RELEASE
使用spring-security框架进行基本用户身份验证,我实现了spring-security DaoAuthenticationProvider
For basic user authentication using spring-security framework, I implemented spring-security DaoAuthenticationProvider
当用户尝试使用正确的用户名登录时,不正确密码和用户的帐户已被锁定,然后我预计spring-security身份验证模块将抛出 BadCredentialsException
但是它会抛出 LockedException
When user tries to login with correct username, incorrect password and user's account is already locked, then i expected that spring-security authentication module would be throwing BadCredentialsException
But instead it throws LockedException
我的问题是
- 为什么spring-security正在处理用户进行进一步的身份验证而凭证特殊密码不正确?
- 在应用程序中显示用户被锁定的消息即使密码也是一种好习惯对于用户无效?
- 如何为无效密码和锁定用户设置生成/捕获
BadCredentialsException
?
- why spring-security is processing the user for further authentication while the credentials specially password is incorrect ?
- Is it good practice to show message in application that "User is Locked" even if the password for the user is invalid ?
- How do i manage to generate/catch
BadCredentialsException
for invalid password and locked user ?
任何帮助将不胜感激。身份验证提供程序实现代码是
Any help would be appreciated. Authentication Provider implementation code is
@Component("authenticationProvider")
public class LoginAuthenticationProvider extends DaoAuthenticationProvider {
@Autowired
UserDAO userDAO;
@Autowired
@Qualifier("userDetailsService")
@Override
public void setUserDetailsService(UserDetailsService userDetailsService) {
super.setUserDetailsService(userDetailsService);
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
try {
Authentication auth = super.authenticate(authentication);
// if reach here, means login success, else exception will be thrown
// reset the user attempts
userDAO.resetPasswordRetryAttempts(authentication.getName());
return auth;
} catch (BadCredentialsException ex) {
// invalid login, update user attempts
userDAO.updatePasswordRetryAttempts(authentication.getName(), PropertyUtils.getLoginAttemptsLimit());
throw ex;
} catch (LockedException ex) {
// this user is locked
throw ex;
} catch (AccountExpiredException ex) {
// this user is expired
throw ex;
} catch (Exception ex) {
ex.printStackTrace();
throw ex;
}
}
}
推荐答案
您问过:
Spring Security:抛出LockedException而不是BadCredentialsException,为什么?
Spring Security : LockedException is thrown instead of BadCredentialsException, why?
这是因为Spring security会首先检查该帐户是否存在且有效,然后检查密码。
It is because spring security will first check that the account exist and is valid, and after that it checks the password.
更具体:它是在 AbstractUserDetailsAuthenticationProvider.authenticate
中完成的。在非常简短描述中,该方法以这种方式工作:
More concrete: it is done in AbstractUserDetailsAuthenticationProvider.authenticate
. In an very brief description the method works this way:
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
...
preAuthenticationChecks.check(user);
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
...
postAuthenticationChecks.check(user);
-
retrieveUser
- 加载用户 -
preAuthenticationChecks.check(用户);
-DefaultPreAuthenticationChecks
:检查锁定... -
additionalAuthenticationChecks
- 检查密码 -
postAuthenticationChecks.check(user);
-DefaultPostAuthenticationChecks
检查未过期的凭据 retrieveUser
- load the userpreAuthenticationChecks.check(user);
-DefaultPreAuthenticationChecks
: check for locked...additionalAuthenticationChecks
- checks the passwordpostAuthenticationChecks.check(user);
-DefaultPostAuthenticationChecks
check for not expired credentials-
!user.isAccountNonLocked()
-
!user.isEnabled()
-
!user.isAccountNonExpired()
-
!user.isCredentialsNonExpired()
!user.isAccountNonLocked()
!user.isEnabled()
!user.isAccountNonExpired()
!user.isCredentialsNonExpired()
好处是, preAuthenticationChecks
和 postAuthenticationChecks
是对接口的引用 UserDetailsChecker
以便您可以更改它们。只需实现你自己的两个 UserDetailsChecker
,一个用于pre的Null-Implementation,一个用于检查所有内容的帖子:
The good point is, that preAuthenticationChecks
and postAuthenticationChecks
are references to the Interface UserDetailsChecker
so you can change them. Just implement your own two UserDetailsChecker
, the one Null-Implementation for pre, and one for post that checks everything:
这篇关于Spring Security:抛出LockedException而不是BadCredentialsException,为什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!