春季安全定制认证要求

Question

I'm using spring security 3.1.3. On an app I'm building, when a user attempts to login, in addition to checking their username and password, I need to make additional checks to validate their account (specifically, that their account does not have a flag set that indicates they are banned from logging in). I am confused as to the best way to go about this.

Should I be creating an authentication filter bean and including it in the form-login element in my spring xml? Or should I be doing something with an authentication-success filter that runs only when the user succeeds the username/password requirement? Or something else?

Answer 1

Define a custom user details service implementing UserDetailsService . Populate an instance of the class User with the user credentials, you can use the field enabled or accountNonLocked for banned users.

@Service("userDetailsService")
public class MyUserDetailsService implements UserDetailsService {

    @Transactional(readOnly = true)
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {   

       // load user data from repository
       String password = ...
       boolean enabled = ...
       // ...
       UserDetails user = new User(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
       return user;     
    }   
}

Then wire your service into the authentication manager in spring-security.xml :

<security:authentication-manager>   
    <security:authentication-provider user-service-ref="userDetailsService">
    ...
<security:authentication-manager>