1. 首页
  2. 问答
  3. 重定向改变密码过期的用户页面

重定向改变密码过期的用户页面

2017-10-18 20 views
1

我有弹簧安全的web应用程序。现在我试图强制用户更改过期的密码。重定向改变密码过期的用户页面

我的安全配置

@Configuration 
@EnableWebSecurity 
public class SecurityConfig extends WebSecurityConfigurerAdapter { 

    @Autowired 
    UserService service; 
    CustomAuthenticationHandler customAuthenticationHandler; 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http 
     .authorizeRequests() 
      .antMatchers("/s/**").permitAll() 
      .antMatchers("/changePassword").permitAll() 
      .anyRequest().authenticated() 
      .and() 
     .formLogin() 
      .loginPage("/login") 
      .permitAll() 
      .failureHandler(customAuthenticationHandler) 
      .and() 
     .logout() 
      .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) 
      .permitAll(); 
    } 

    @Override 
    protected void configure(AuthenticationManagerBuilder auth) 
      throws Exception { 
     auth 
     .authenticationProvider(authProvider()); 
    } 

    @Override 
    public void configure(WebSecurity web) throws Exception { 
     web.ignoring().antMatchers("/s/**"); 
    } 

    // Beans  

    @Bean 
    CustomAuthenticationHandler authenticationHandler() { 
     return new CustomAuthenticationHandler(); 
    } 

    @Bean 
    public PasswordEncoder encoder() { 
     return new BCryptPasswordEncoder(11); 
    } 

    @Bean 
    public DaoAuthenticationProvider authProvider() { 
     DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(); 
     authProvider.setUserDetailsService(new UserDetailServiceImpl(service)); 
     authProvider.setPasswordEncoder(encoder()); 
     return authProvider; 
    } 
}

我CustomAuthenticationHandler:

public class CustomAuthenticationHandler extends SimpleUrlAuthenticationFailureHandler implements AuthenticationFailureHandler { 

    @Override 
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException { 

     // later do some logic here.. to handle CredentialsExpiredException 
     // for now all failure login should go to /changePassword 
     getRedirectStrategy().sendRedirect(request, response, "/changePassword"); 

    } 
}

我希望去/ changePassword后登录失败,但我还是要去/密码错误? 你可以建议这个任务与java配置的例子或解释我做错了什么? 所有帮助表示赞赏

来源

2017-10-18 Coder

+0

来源:[CRYPTO -GRAM](https://www.schneier.com/crypto-gram/archives/2017/1015.html#2)作者:Bruce Schneier: NIST最近发布d其四卷SP800-63-3数字身份指南。除此之外,它提出了三个**重要建议**,涉及到密码: *使用密码到期停止它。对于我们使用电脑的旧方式,这是一个古老的想法。今天,不要让人们改变他们的密码,除非有妥协的迹象。*密码过期以用户选择不好的密码结束,人们只有有限数量的好密码。 – zaph

+0

@ zaph是的,但在这项任务中,我不决定它应该如何 – Coder

回答

0

我不知道如何好或坏的这一解决方案,但它为我工作

安全配置:

@Configuration 
@EnableWebSecurity 
public class SecurityConfig extends WebSecurityConfigurerAdapter { 

    @Autowired 
    UserService service; 
    CustomAuthenticationHandler customAuthenticationHandler; 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http 
     .authorizeRequests() 
      .antMatchers("/s/**").permitAll() 
      .antMatchers("/changePassword").permitAll() 
      .anyRequest().authenticated() 
      .and() 
     .formLogin() 
      .loginPage("/login") 
      .permitAll() 
      .failureHandler(customAuthenticationHandler) 
      .and() 
     .logout() 
      .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) 
      .permitAll(); 
    } 

    @Override 
    protected void configure(AuthenticationManagerBuilder auth) 
      throws Exception { 
     auth 
     .authenticationProvider(authProvider()); 
    } 

    @Override 
    public void configure(WebSecurity web) throws Exception { 
     web.ignoring().antMatchers("/s/**"); 
    } 

    // Beans  

    @Bean 
    CustomAuthenticationHandler authenticationHandler() { 
     return new CustomAuthenticationHandler(); 
    } 

    @Bean 
    public PasswordEncoder encoder() { 
     return new BCryptPasswordEncoder(11); 
    } 

    @Bean 
    public DaoAuthenticationProvider authProvider() { 
     DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(); 
     authProvider.setUserDetailsService(new UserDetailServiceImpl(service)); 
     authProvider.setPasswordEncoder(encoder()); 
     return authProvider; 
    } 
}

我CustomAuthenticationHandler:

@Component 
public class CustomAuthenticationHandler extends SimpleUrlAuthenticationFailureHandler implements AuthenticationFailureHandler { 

    @Override 
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException { 
     setUseForward(true); 
     saveException(request, exception); 
     if (exception.getClass().equals(CredentialsExpiredException.class)){ 
      setDefaultFailureUrl("/changePassword");     
     } else { 
      setDefaultFailureUrl("/login?error"); 
     } 
     super.onAuthenticationFailure(request, response, exception); 
    } 

}

来源

2017-10-18 12:04:44 Coder

相关问题

 相关问题