4 
**Login** in *spring security*, when user is disabled, i can't know the password is wrong or not.
please,tell me how.
[AbstractUserDetailsAuthenticationProvider][1]

在春季安全:

AbstractUserDetailsAuthenticationProvider.authenticate(){
 // (1) check disabled, if disabled, ***throw exception***
 preAuthenticationChecks.check(user);
 // (2)check password
 additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);

标题

(1)`public void check(UserDetails user) {
        if (!user.isAccountNonLocked()) {
            logger.debug("User account is locked");

            throw new LockedException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.locked",
                    "User account is locked"), user);
        }

        if (!user.isEnabled()) {
            logger.debug("User account is disabled");

            throw new DisabledException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.disabled",
                    "User is disabled"), user);
        }

        if (!user.isAccountNonExpired()) {
            logger.debug("User account is expired");

            throw new AccountExpiredException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.expired",
                    "User account has expired"), user);
        }
    }`

(2)`protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { Object salt = null;

    if (this.saltSource != null) {
        salt = this.saltSource.getSalt(userDetails);
    }

    if (authentication.getCredentials() == null) {
        logger.debug("Authentication failed: no credentials provided");

        throw new BadCredentialsException(messages.getMessage(
                "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
    }

    String presentedPassword = authentication.getCredentials().toString();

    if (!passwordEncoder.isPasswordValid(userDetails.getPassword(), presentedPassword, salt)) {
        logger.debug("Authentication failed: password does not match stored value");

        throw new BadCredentialsException(messages.getMessage(
                "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), userDetails);
    }
}`

}

}

4

1 回答 1

1

处理此问题的一种方法是在登录页面中添加重定向

AuthenticationException ex = ((AuthenticationException) request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION));
if(ex instanceof DisabledException){
    //Send redirect
}
于 2013-05-03T03:22:49.437 回答