Ask password for logged in users in spring security

I have to implement LoginController to login user, verify password and protect some resources or methods.

scenario 1) lets say, user not logged in with system. he try to access a method, that time i need to redirect to login.jsp. after login process need to redirect to proper url which original location came from.

scenario2) lets say user already logged in and try to access some protected method. now i need to redirect to verifyPassword.jsp to verify password again.

scenario 1 working fine for me.

i am using in my security.xml

<security:global-method-security
        secured-annotations="enabled" 
        jsr250-annotations="disabled" 
        access-decision-manager-ref="accessDecisionManager"
    />




<security:http entry-point-ref="authEntryPoint" access-denied-page="/accessdenied.action" access-decision-manager-ref="accessDecisionManager" >
        <security:intercept-url pattern="/js/**" filters="none" />

        <security:anonymous/>

        <security:http-basic />
        <security:port-mappings >
            <security:port-mapping http="8080" https="443"/>
        </security:port-mappings>
        <security:logout invalidate-session="true" />
        <security:custom-filter position="FORM_LOGIN_FILTER" ref="customizedFormLoginFilter"/>
    </security:http>


<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
        <constructor-arg index="0" value="256" />
    </bean>



<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
        <property name="hierarchy">
            <value>
                ROLE_PORTAL_RESTRICTED_USER > ROLE_USER
            </value>
        </property>
    </bean>

<bean id="userDetailsService" class="org.springframework.security.access.hierarchicalroles.UserDetailsServiceWrapper">
        <property name="userDetailsService">
            <bean class="com.java.CustomeUserDetails" />
        </property>
        <property name="roleHierarchy" ref="roleHierarchy" /> 
    </bean>

<bean id="authEntryPoint" class="org.springframework.security.web.authentication.AuthenticationProcessingFilterEntryPoint">
        <property name="forceHttps" value="false" />
        <property name="loginFormUrl" value="/login.action" />

        <property name="portMapper">
            <bean class="org.springframework.security.web.PortMapperImpl">
                <property name="portMappings">
                    <map>
                        <entry key="8080" value="443"/>
                    </map>
                </property>
            </bean>
        </property>
    </bean>


<bean id="customizedFormLoginFilter"

         class ="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" >
        <property name="allowSessionCreation" value="true" />
        <property name="filterProcessesUrl" value="/j_spring_security_check" />
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="authenticationFailureHandler"开发者_如何学Python ref="failureHandler" />
        <property name="authenticationSuccessHandler" ref="successHandler" />
    </bean> 

    <bean id="successHandler"
        class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
            <property name="alwaysUseDefaultTargetUrl" value="false"/>
        <property name="defaultTargetUrl" value="/loginsuccess.action" />
    </bean>

    <bean id="failureHandler"
        class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <property name="defaultFailureUrl" value="/loginfailed.action" />
    </bean>



    <security:authentication-manager  alias="authenticationManager">
        <security:authentication-provider user-service-ref="userDetailsService">
          <security:password-encoder ref="passwordEncoder">
                <security:salt-source user-property="username" />
            </security:password-encoder>

        </security:authentication-provider>

    </security:authentication-manager>

i used annotation for methods to ask login.

@Secured("ROLE_USER")
    public ModelAndView protectedMethod()

I gave all information i guess. how to redirect to verifypin.jsp for logged in users.

Please give me a suggestion.

There is no out of the box solution in spring security for this scenario, so you have to implement it by yourself. An idea for an solution could be this: define an new role "ROLE_VERIFIEDPIN". Add this role to the secured annotation off your method. Add an hand written (if-statement) check for this role to the web controller method that invoke the secured method. If the uses has the verified pin role, then invoke the secured method, if not redirect him to the verification page. If the verification was successfull, then grant him the role and invoke the "intercepted" controllet method.