I am building spring mvc and spring security based web based application.
I have implemented Reset Password functionality.System Administrator will reset password of any user .Random generated password will be emailed to user and same will be updated in database.
Now I want whenever user login with random generated password, i want to force user to change its password.
Please have a look to my user TABLE.
userid bigint(20)
username varchar(20)
password varchar(65)
email varchar(50)
firstname varchar(20)
lastname varchar(20)
groupname varchar(50)
enabled tinyint(1)
credentialsNonExpired tinyint(1)
MY Authentication Provider
<!--
Configuring Authentication Provider to make use of spring security
provided Jdbc user management service
-->
<authentication-provider user-service-ref="jdbcUserService">
<!--
Configuring SHA-1 Password Encoding scheme to secure user credential
-->
<password-encoder ref="sha1PasswordEncoder" />
</authentication-provider>
</authentication-manager>
I have used JDBCUserDetailsService extending JDBCDaoImpl as jdbcUserService.
I want to set credentialNonExpired to false column of my user table when I am resetting password.
I am able to do that.
But when i login, spring security JDBCuserdetailsservice loadUserbyUsername getting only username,password,enabled columns and rest of all fields set to true.
protected List<UserDetails> loadUsersByUsername(String username) {
return getJdbcTemplate().query(usersByUsernameQuery, new String[] {username}, new RowMapper<UserDetails>() {
public UserDetails mapRow(ResultSet rs, int rowNum) throws SQLException {
String username = rs.getString(1);
String password = rs.getString(2);
boolean enabled = rs.getBoolean(3);
return new User(username, password, enabled, true, true, true, AuthorityUtils.NO_AUTHORITIES);
}
});
}
But I want actual credentialNonExpired field which is set by reset password, so that spring security will throw CREDENTIALEXPIREDEXCEPTION.
I am achieving that by loading above method, but is there any other way to redirect user to change password page when they login with expired password.
Please tell me how can i do that ?
Quite late answer and I don't know if you're using Spring 2 or 3. But in Spring 3 you can do it this way.
Include the following in your Spring security context:
<bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<property name="exceptionMappings">
<props>
<prop key="org.springframework.security.authentication.CredentialsExpiredException">/change_password_page</prop>
</props>
</property>
<property name="defaultFailureUrl" value="/login_generic_error_page"/>
</bean>
Of course you can map other specific authentication exceptions to other pages.
If you're using the form-login element, then you have to specify the authentication-failure-handler-ref attribute (and remove authentication-failure-url if used)
<security:form-login ... authentication-failure-handler-ref="securityExceptionTranslationHandler">
And final step is to create the change password page.
Keep in mind that the user is not authenticated when redirected to the change password page.
You can try subclassing SimpleUrlAuthenticationSuccessHandler and implement custom logic for checking password expiry. The reference to this SimpleUrlAuthenticationSuccessHandler could be passed to the form-login element in the application context.
来源:https://stackoverflow.com/questions/8470173/forcing-user-to-change-expired-password-in-spring-security