Spring Security中强制用户更改过期密码
我正在构建基于 Spring MVC 和 Spring Security 的 Web 应用程序。
我已经实现了重置密码功能。系统管理员将重置任何用户的密码。随机生成的密码将通过电子邮件发送给用户,并且相同的密码将在数据库中更新。
现在我希望每当用户使用随机生成的密码登录时,我想强制用户更改其密码。
请查看我的用户表。
用户ID bigint(20)
用户名 varchar(20)
密码 varchar(65)
电子邮件 varchar(50)
名字 varchar(20)
姓氏 varchar(20)
组名 varchar(50)
启用tinyint(1)
credentialNonExpired tinyint(1)
我的身份验证提供程序
<!--
Configuring Authentication Provider to make use of spring security
provided Jdbc user management service
-->
<authentication-provider user-service-ref="jdbcUserService">
<!--
Configuring SHA-1 Password Encoding scheme to secure user credential
-->
<password-encoder ref="sha1PasswordEncoder" />
</authentication-provider>
</authentication-manager>
我使用 JDBCUserDetailsService 将 JDBCDaoImpl 扩展为 jdbcUserService。
当我重置密码时,我想将用户表的 credentialNonExpired 设置为 false 列。
我有能力做到这一点。
但是当我登录时,spring security JDBCuserdetailsservice loadUserbyUsername 仅获取用户名、密码、启用的列以及所有字段的其余部分设置为 true。
protected List<UserDetails> loadUsersByUsername(String username) {
return getJdbcTemplate().query(usersByUsernameQuery, new String[] {username}, new RowMapper<UserDetails>() {
public UserDetails mapRow(ResultSet rs, int rowNum) throws SQLException {
String username = rs.getString(1);
String password = rs.getString(2);
boolean enabled = rs.getBoolean(3);
return new User(username, password, enabled, true, true, true, AuthorityUtils.NO_AUTHORITIES);
}
});
}
但我想要由重置密码设置的实际 credentialNonExpired 字段,以便 spring security 会抛出 CREDENTIALEXPIREDEXCEPTION 。
我通过加载上述方法来实现这一点,但是当用户使用过期密码登录时,是否有其他方法可以重定向用户以更改密码页面。
请告诉我该怎么做?
I am building spring mvc and spring security based web based application.
I have implemented Reset Password functionality.System Administrator will reset password of any user .Random generated password will be emailed to user and same will be updated in database.
Now I want whenever user login with random generated password, i want to force user to change its password.
Please have a look to my user TABLE.
userid bigint(20)
username varchar(20)
password varchar(65)
email varchar(50)
firstname varchar(20)
lastname varchar(20)
groupname varchar(50)
enabled tinyint(1)
credentialsNonExpired tinyint(1)
MY Authentication Provider
<!--
Configuring Authentication Provider to make use of spring security
provided Jdbc user management service
-->
<authentication-provider user-service-ref="jdbcUserService">
<!--
Configuring SHA-1 Password Encoding scheme to secure user credential
-->
<password-encoder ref="sha1PasswordEncoder" />
</authentication-provider>
</authentication-manager>
I have used JDBCUserDetailsService extending JDBCDaoImpl as jdbcUserService.
I want to set credentialNonExpired to false column of my user table when I am resetting password.
I am able to do that.
But when i login, spring security JDBCuserdetailsservice loadUserbyUsername getting only username,password,enabled columns and rest of all fields set to true.
protected List<UserDetails> loadUsersByUsername(String username) {
return getJdbcTemplate().query(usersByUsernameQuery, new String[] {username}, new RowMapper<UserDetails>() {
public UserDetails mapRow(ResultSet rs, int rowNum) throws SQLException {
String username = rs.getString(1);
String password = rs.getString(2);
boolean enabled = rs.getBoolean(3);
return new User(username, password, enabled, true, true, true, AuthorityUtils.NO_AUTHORITIES);
}
});
}
But I want actual credentialNonExpired field which is set by reset password, so that spring security will throw CREDENTIALEXPIREDEXCEPTION.
I am achieving that by loading above method, but is there any other way to redirect user to change password page when they login with expired password.
Please tell me how can i do that ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
回答很晚了,我不知道你使用的是 Spring 2 还是 Spring 3。
但在 Spring 3 中你可以这样做。
在 Spring 安全上下文中包括以下内容:
当然,您可以将其他特定的身份验证异常映射到其他页面。
如果您使用 form-login 元素,则必须指定
authentication-failure-handler-ref属性(并删除authentication-failure-url如果使用)最后一步是创建更改密码页面。
请记住,重定向到更改密码页面时,用户未经过身份验证。
Quite late answer and I don't know if you're using Spring 2 or 3.
But in Spring 3 you can do it this way.
Include the following in your Spring security context:
Of course you can map other specific authentication exceptions to other pages.
If you're using the form-login element, then you have to specify the
authentication-failure-handler-refattribute (and removeauthentication-failure-urlif used)And final step is to create the change password page.
Keep in mind that the user is not authenticated when redirected to the change password page.
您可以尝试子类化
SimpleUrlAuthenticationSuccessHandler并实现用于检查密码过期的自定义逻辑。对此SimpleUrlAuthenticationSuccessHandler的引用可以传递到应用程序上下文中的 form-login 元素。You can try subclassing
SimpleUrlAuthenticationSuccessHandlerand implement custom logic for checking password expiry. The reference to thisSimpleUrlAuthenticationSuccessHandlercould be passed to the form-login element in the application context.