Spring Security: Custom exception message from UserDetailsService

后端未结

关注

 2  1012

I am able to display the SPRING_SECURITY_LAST_EXCEPTION.message (\"Bad Credentials\") when a user tries to log in with incorrect credentials or user is disabled for some reason.

相关标签:

2条回答

失恋的感觉

2021-02-08 14:14
Create a property file in class path like loginMessage.properties

In that property file, specify

AbstractUserDetailsAuthenticationProvider.badCredentials=Username/Password entered is incorrect.

Add the following bean in your applicationContext.xml,
```
<bean id="messageSource"   
    class="org.springframework.context.support.ResourceBundleMessageSource">  
    <property name="basenames">  
        <list>
            <value>loginMessage</value>
        </list>
    </property>
</bean>
```
In userDao, if result null
```
throw new UsernameNotFoundException("");
```
After that, u'll get message like Username/Password entered is incorrect. instead of Bad Credentials
0 讨论(0)
发布评论:

提交评论
- 加载中...

没有蜡笔的小新

2021-02-08 14:15

You need to set hideUserNotFoundExceptions property of AbstractUserDetailsAuthenticationProvider to false. (This means this solution is dependent on the Spring Security code which might change in the future).

Here are the steps:

(1) Define a DaoAuthenticationProvider bean (if you already have one then set its hideUserNotFoundExceptions property to false). Here is Java config style:

    @Bean
public AuthenticationProvider daoAuthenticationProvider() {
    DaoAuthenticationProvider impl = new DaoAuthenticationProvider();
    impl.setUserDetailsService(yourUserDetailsService());
    impl.setHideUserNotFoundExceptions(false) ;
    return impl ;
}

(2) Configure authentication manager with above provider:

<authentication-manager alias="authenticationManager">
    <authentication-provider ref="daoAuthenticationProvider"/>
<!-- other providers if any -->
</authentication-manager>

(3) Create an exception extending the UsernameNotFoundException:

    public class DisabledException extends UsernameNotFoundException {

    public DisabledException(String msg) {
    super(msg);
    }

    /* other constructors */    
}

(4) In your UserDetailsService, throw the above exception with any message key you like:

    throw new DisabledException(messages.getMessage(
                        "AbstractUserDetailsAuthenticationProvider.disabled", "User is disabled"));

Here messages is SpringSecurityMessageSource.getAccessor()

0 讨论(0)