Check extra parameters with Spring Security
Please give a hint in Spring Security, how can I check additional parameters during user login.
For example, to check not only \"username\" and \"password\", but also
-
One way to achieve this is to create a custom AuthenticationProvider or to extend an existing one. In your case it might be sufficient to extend for instance the
DaoAuthenticationProviderand put the logic for checking whether the account is confirmed inadditionalAuthenticationChecks()method.Here is an example:
public class CustomAuthenticationProvider extends DaoAuthenticationProvider { @Override protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { // Perform the checks from the super class super.additionalAuthenticationChecks(userDetails, authentication); // Cast the UserDetails to the implementation you use User user = (User) userDetails; // Check the confirmed status if (!user.isAccountConfirmed()) { throw new AccountNotConfirmedException("Account is not confirmed yet."); } } public static class AccountNotConfirmedException extends AuthenticationException { public AccountNotConfirmedException(String message) { super(message); } } }Your implementation of
UserDetailsshould contain the information about account confirmation status. You can map this information in your implementation ofUserDetailsService.Option 2
Edit: Now that I look at it, the first solution is a bit overcomplicated. You can easily solve this problem without using custom
AuthenticationProvider. Just make sure thatisEnabled()of yourUserDetailsimplementation returnsfalseif the account is not confirmed. If theenabledproperty isfalseauthentication will not be allowed (this is automatically taken care of by Spring Security).The first solution might still be useful if you want explicitly handle the
AccountNotConfirmedExceptioninAuthenticationFailureHandlerfor instance.讨论(0)
加载中...
- 热议问题