java spring security, if login user is disabled, how to know password is wrong or not -
**login** in *spring security*, when user disabled, can't know password wrong or not. please,tell me how. [abstractuserdetailsauthenticationprovider][1]
in spring security:
abstractuserdetailsauthenticationprovider.authenticate(){ // (1) check disabled, if disabled, ***throw exception*** preauthenticationchecks.check(user); // (2)check password additionalauthenticationchecks(user, (usernamepasswordauthenticationtoken) authentication);
heading
(1)`public void check(userdetails user) { if (!user.isaccountnonlocked()) { logger.debug("user account locked"); throw new lockedexception(messages.getmessage("abstractuserdetailsauthenticationprovider.locked", "user account locked"), user); } if (!user.isenabled()) { logger.debug("user account disabled"); throw new disabledexception(messages.getmessage("abstractuserdetailsauthenticationprovider.disabled", "user disabled"), user); } if (!user.isaccountnonexpired()) { logger.debug("user account expired"); throw new accountexpiredexception(messages.getmessage("abstractuserdetailsauthenticationprovider.expired", "user account has expired"), user); } }`
(2)`protected void additionalauthenticationchecks(userdetails userdetails, usernamepasswordauthenticationtoken authentication) throws authenticationexception { object salt = null;
if (this.saltsource != null) { salt = this.saltsource.getsalt(userdetails); } if (authentication.getcredentials() == null) { logger.debug("authentication failed: no credentials provided"); throw new badcredentialsexception(messages.getmessage( "abstractuserdetailsauthenticationprovider.badcredentials", "bad credentials"), userdetails); } string presentedpassword = authentication.getcredentials().tostring(); if (!passwordencoder.ispasswordvalid(userdetails.getpassword(), presentedpassword, salt)) { logger.debug("authentication failed: password not match stored value"); throw new badcredentialsexception(messages.getmessage( "abstractuserdetailsauthenticationprovider.badcredentials", "bad credentials"), userdetails); } }`
}
}
one way handle add redirect in login page
authenticationexception ex = ((authenticationexception) request.getsession().getattribute(webattributes.authentication_exception)); if(ex instanceof disabledexception){ //send redirect }
Comments
Post a Comment