Spring Security : LockedException is thrown instead of BadCredentialsException, why?
Using Spring Security 4.0.2.RELEASE
For basic user authentication using spring-security framework, I implemented spring-security D
-
You asked:
Spring Security : LockedException is thrown instead of BadCredentialsException, why?
It is because spring security will first check that the account exist and is valid, and after that it checks the password.
More concrete: it is done in
AbstractUserDetailsAuthenticationProvider.authenticate. In an very brief description the method works this way:user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication); ... preAuthenticationChecks.check(user); additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication); ... postAuthenticationChecks.check(user);retrieveUser- load the userpreAuthenticationChecks.check(user);-DefaultPreAuthenticationChecks: check for locked...additionalAuthenticationChecks- checks the passwordpostAuthenticationChecks.check(user);-DefaultPostAuthenticationCheckscheck for not expired credentials
The good point is, that
preAuthenticationChecksandpostAuthenticationChecksare references to the InterfaceUserDetailsCheckerso you can change them. Just implement your own twoUserDetailsChecker, the one Null-Implementation for pre, and one for post that checks everything:!user.isAccountNonLocked()!user.isEnabled()!user.isAccountNonExpired()!user.isCredentialsNonExpired()
讨论(0)
加载中...
- 热议问题