Using Spring Security 4.0.2.RELEASE
对于使用spring-security框架的基本用户身份验证,我实现了spring-security DaoAuthenticationProvider
当用户尝试使用正确的用户名登录时,错误的密码和用户的帐户已经被锁定,那么我预计spring-security身份验证模块会抛出BadCredentialsException但是它会抛出LockedException
我的问题是
>为什么spring-security正在处理用户进行进一步的身份验证,而凭据特殊密码不正确?
>即使用户的密码无效,在应用程序中显示“用户已锁定”的消息是否良好?
>如何为无效密码和锁定用户设置生成/捕获BadCredentialsException?
任何帮助,将不胜感激.身份验证提供程序实现代码
@Component("authenticationProvider")
public class LoginAuthenticationProvider extends DaoAuthenticationProvider {
@Autowired
UserDAO userDAO;
@Autowired
@Qualifier("userDetailsService")
@Override
public void setUserDetailsService(UserDetailsService userDetailsService) {
super.setUserDetailsService(userDetailsService);
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
try {
Authentication auth = super.authenticate(authentication);
// if reach here,means login success,else exception will be thrown
// reset the user attempts
userDAO.resetPasswordRetryAttempts(authentication.getName());
return auth;
} catch (BadCredentialsException ex) {
// invalid login,update user attempts
userDAO.updatePasswordRetryAttempts(authentication.getName(),PropertyUtils.getLoginAttemptsLimit());
throw ex;
} catch (LockedException ex) {
// this user is locked
throw ex;
} catch (AccountExpiredException ex) {
// this user is expired
throw ex;
} catch (Exception ex) {
ex.printStackTrace();
throw ex;
}
}
}