开发者

Spring security - Spring doesn't check on isAccountNonLocked for UserDetails on correct login

问答 作者:

I'm using Spring 2.5.6 and Spring security 2.0.

For login attempts I implements the UserDetails class on my User class. So the User class implements isAccountNonLocked() after a wrong login (dispatch the AuthenticationFailureBadCredentialsEvent, I handle this with a Eventlistener) Spring called this function from my User class to check if account is locked. I implements this as follow:

public boolean isAccountNonLocked() {
    if (this.getFailedLoginAttempts() >= MAX_FAILED_LOGIN_ATTEMPTS) {  
        return false;  
    }
    return this.accountNonLocked;  
}

This work great with bad credentials, but when I filled in the correct credentials he never call this function. So if you fill in the correct credentials he doesn't check if the User is locked , so he always logged in even if failedLoginAttempts is higher than MAX_FAILED_LOGIN_ATTEMPTS or if the account is locked.

I even implements the AuthenticationSuccessEvent and if you fill in correct credentials he is handle this registerd eventlistener( doing some stuff to set failedLoginAttempts ba开发者_如何学编程ck to 0 after a good login )

Is this a bug in Spring 2.5.6? or is it something I forgot...

Solved the problem.

I implemented the function isAccountNonLocked in a Hibernate entity but my authenticationDao was a JBDC implementation instead of a HibernateDaoImpl. So after a custom implementation of UserDetails as HibernateDaoImpl the initial problem was solved.

public class HibernateDaoImpl extends HibernateDaoSupport implements UserDetailsService {
    private         LoginDao        loginDao;
    private         UserroleDao     userroleDao;


    /* (non-Javadoc)
     * @see org.springframework.security.userdetails.UserDetailsService#loadUserByUsername(java.lang.String)
     */
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
        UserDetails login = loginDao.getLogin(username);

        return login;
    }

    /**
     * Loads authorities by executing the authoritiesByUsernameQuery.
     *  
     * @return a list of GrantedAuthority objects for the user
     */
    protected List loadUserAuthorities(String username) {
        return userroleDao.list(username);
    }

    public void setLoginDao(LoginDao loginDao) {
        this.loginDao = loginDao;
    }

    public void setUserroleDao(UserroleDao userroleDao) {
        this.userroleDao = userroleDao;
    }
}

And in the XML:

<b:bean id="authenticationDao1" class="com.foo.support.HibernateDaoImpl" >
<b:property name="sessionFactory"><b:ref bean="sessionFactory"/></b:property>
<b:property name="loginDao"><b:ref bean="loginDao"/></b:property>
<b:property name="userroleDao"><b:ref bean="userroleDao"/></b:property>

继续阅读:authenticationspringspring-security

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9