问题
Newbie question... I've successfully implemented custom handlers and service (Custom User Details Service, Authentication Success, Authentication Failure) and everything working fine. I've now also implemented functionality that will lock an account (for a certain amount of time) if they fail authentication 3 concurrent times.
I'm now moving on to handle the scenario when a user attempts to authenticate when they have an account lock. If the lock is active > authentication should not be attempted and user redirected to locked account page/error. If the lock has expired > the lock should be removed and authentication proceeds as normal
In the case where the account lock is active - I’ve tried implementing this in my Custom Authentication Success Handler but despite successfully forwarding the user to an account lock error page – it’s too late as the application has already authenticated the user and the user is successfully able to access secure pages directly (which is obviously wrong as their account should be locked).
I started playing around but I thought I'd check on here first for a more standard/elegant solution/approach. Should I be performing this check and actions in the Custom User Details Service or is there a pre-Authentication handler that I could implement before the user even hits Custom User Details Service? Any help or advice on where/how I could handle this will be much appreciated
回答1:
In your UserDetails implementations, pass true to the following values
- isAccountNonExpired()
- isAccountNonLocked()
- isCredentialsNonExpired()
For more details you can check the public void check(UserDetails user) in AbstractUserDetailsAuthenticationProvider class. Hope this helps somebody.
回答2:
There is built-in LockedException. It will be thrown by AuthenticationManager if UserDetails.isAccountNonLocked() == false. So you can perform your check in UserDetailsService.loadUserByUsername(...) method. Just pass false value for accountNonExpired parameter when you create new User object.
来源:https://stackoverflow.com/questions/17377636/spring-security-pre-authentication-account-lock-check