Spring Security is great when the developer wants to secure his web app.
However, what about creating the account? and "forgot password"? most login pages have these links as well as the username and password fields. Spring's default login-page does not have these links... in the good case, it can support "remember me"...
Does Spring supports these flows, of Create Account, Forgot Password and Change Password? If the answer is yes, can you please point me to some documentations?
I've searched this issue but could not find anything.
Thanks!
You are completely right. AFAIK there is no "generic" package that implements these flows. I've searched a lot for this kind of code a while ago, and found nothing. I think that @luizcarlosfx is right, that each application has its own needs, therefore it is hard to write something generic that fits all needs.
EDIT: I saw comments like "It's not so difficult to implement". True. But you have to make sure you take care of all cases. For example, what happens if a user tries to create account that is already exists? what happens if a user tries to create account that is already exists but inactive? what about the policy of the password? (too long/too short/how many capital etc) what about sending the email with the activation link to the user? how fo you create this link? how do you encrypt it? what about the controller that will receive the click on the link and activate the account? and more and more...
However, I took it a step forward and tried to code something that will answer most flows - registration, forgot-password, change password etc, and something that will be secured enough so applications will be able to use it without the fear that it will be easily hacked.
I have implemented a JAVA project for this use case. It is open source, based on Spring-Security. A release version is on Maven-Central, so you do not need to compile it, but instead you can fetch it as maven-dependency to your project!
<dependency>
<groupId>com.ohadr</groupId>
<artifactId>authentication-flows</artifactId>
<version>1.5.0-RELEASE</version>
</dependency>
I think it answers your question...
There are explanations for everything (and if something is missing - let me know...)
You can find here an example for a client application's code (i.e. the usage).
This is the main page of the project plus a demo, and another demo is here (but this is an app that after upgrading to version 1.6.1 requires login with email with "nice" domain - nice.com. so you cannot really use it for demo; use the first example). This is a client web-app that uses the auth-flows, with the README with all explanations.
Hope that helps!
I think appfuse is a tool for what you want. This lines are from it's documentation:
AppFuse comes out of the box with features that many applications need, including:
- Authentication and authorization
- User management
- Remember Me (which saves your login information so you don't have to log in every time)
- Password reminder
- Signup and registration
- SSL switching
- Extension-less URLs File upload
- Generic CRUD backend
- Full Eclipse, IDEA and NetBeans support
- Fast startup and no deploy with Maven Jetty Plugin
- Testable on multiple appservers and databases with Cargo and profiles
来源:https://stackoverflow.com/questions/23562266/create-account-forgot-password-and-change-password