Spring Security Custom Filter (Change Password)

Question

I\'m using Spring Security for securing HTTP requests to a website. The primary usage is for securing pages such that the user is redirected to the login page when trying to

Answer 1

A little late on this, but hopefully this can help others finding this link. If you use a custom UserDetailsService, you can set the User object's credentialsNonExpired to false, for example, to not allow access to any secure content until that field is set back to true.

Basically, when you have password expiration, you will set a field in your User model (passwordExpired maybe), and when your UserDetailsService pulls the user, your UserDetailsService will use that value to set credentialsNonExpired.

Then, all you need to do is add some config to your applicationContext-security.xml to setup authentication exception mappings. This will allow you to catch the exception thrown with expired credentials and force the user to a reset password page. You can additionally catch locked and disabled accounts using a similar method. The config example is shown below:

applicationContext-security.xml

    
                   
            /login_error
            /password_expired
            /locked
            /disabled
        
        



    
    

Then just make sure you have your controllers setup to serve those links with the appropriate content.