CODEWITHSUNDEEP
springspring-security
fresh_dev
fresh_dev

Reputation: 6774

How to check that BadCredentialsException is not thrown in loadUserByUsername

i am authenticating my users with UserDetailsService:

<authentication-manager alias="authenticationManager">          
      <authentication-provider user-service-ref="userDetailsService">
         <password-encoder hash="sha"/>             
      </authentication-provider>   
    </authentication-manager>

userDetailsService class:

@Service("userDetailsService")
public class UserDetailsServiceImpl implements UserDetailsService {

    @Autowired
    private UserService userService;


    @Override
    public UserDetails loadUserByUsername(String username)
            throws UsernameNotFoundException, DataAccessException {

User user = null;
    try {
        user = userService.getUserByUsername(username);
    } catch (Exception e) {
        e.printStackTrace();
    }


   if (user.isForceChangePass()) {
        MyForcePasswordChangeException bad = new MyForcePasswordChangeException(
                "Password is not valid, and it must be changed!");
        throw bad;
    }

}

EDIT:

after getting username i check for ForceChangePass indicator and if it's true i through my own exception which in turns lands user to loginFailureHandler (despite password is correct or not) i want in the loginFailureHandler to check if my exception is thrown in case of login success only.

Upvotes: 1

Views: 2834

Answers (1)

Tomasz Nurkiewicz
Tomasz Nurkiewicz

Reputation: 340813

loadUserByUsername() is not suppose to check credentials, it should only load UserDetails object (having getPassword() method) or throw UsernameNotFoundException.

If you want to check whether the user successfully authenticated or not, have a look at Listening to successful login with Spring Security:

<form-login 
  authentication-success-handler-ref="authenticationSuccessHandler"
  authentication-failure-url="authenticationFailureHandler"/>

You must implement AuthenticationSuccessHandler and AuthenticationFailureHandler.

Alternatively consider subclassing BasicAuthenticationFilter and override onSuccessfulAuthentication() and onUnsuccessfulAuthentication().

Upvotes: 2

Related Questions