1
我有弹簧安全的web应用程序。现在我试图强制用户更改过期的密码。重定向改变密码过期的用户页面
我的安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserService service;
CustomAuthenticationHandler customAuthenticationHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/s/**").permitAll()
.antMatchers("/changePassword").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.failureHandler(customAuthenticationHandler)
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth
.authenticationProvider(authProvider());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/s/**");
}
// Beans
@Bean
CustomAuthenticationHandler authenticationHandler() {
return new CustomAuthenticationHandler();
}
@Bean
public PasswordEncoder encoder() {
return new BCryptPasswordEncoder(11);
}
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(new UserDetailServiceImpl(service));
authProvider.setPasswordEncoder(encoder());
return authProvider;
}
}
我CustomAuthenticationHandler:
public class CustomAuthenticationHandler extends SimpleUrlAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
// later do some logic here.. to handle CredentialsExpiredException
// for now all failure login should go to /changePassword
getRedirectStrategy().sendRedirect(request, response, "/changePassword");
}
}
我希望去/ changePassword后登录失败,但我还是要去/密码错误? 你可以建议这个任务与java配置的例子或解释我做错了什么? 所有帮助表示赞赏
来源:[CRYPTO -GRAM](https://www.schneier.com/crypto-gram/archives/2017/1015.html#2)作者:Bruce Schneier: NIST最近发布d其四卷SP800-63-3数字身份指南。除此之外,它提出了三个**重要建议**,涉及到密码: *使用密码到期停止它。对于我们使用电脑的旧方式,这是一个古老的想法。今天,不要让人们改变他们的密码,除非有妥协的迹象。*密码过期以用户选择不好的密码结束,人们只有有限数量的好密码。 – zaph
@ zaph是的,但在这项任务中,我不决定它应该如何 – Coder