春季安全。 为用户登录添加限制

Question

I have following spring security config:

<http auto-config="true" authentication-manager-ref="userAuthenticationManager">
        <form-login login-page="/" 
            default-target-url="/member/personalAccount"
            authentication-failure-url="/loginfailed" authentication-success-handler-ref="authSuccessHandler" />

        <!-- <intercept-url pattern="/common/*" filters="none" /> -->
        <intercept-url ..../>
        <logout logout-url="/logout" logout-success-url="/" />
        <port-mappings>
         <port-mapping http="${http.port}" https="${https.port}"/>
        </port-mappings>
    </http>

    ....


    <authentication-manager alias="userAuthenticationManager">
        <!-- <authentication-provider user-service-ref="userSecurityService"> -->
        <authentication-provider>
            <password-encoder ref="encoder" />
            <jdbc-user-service data-source-ref="dataSource" 
                users-by-username-query="select email,password,prop_was_moderated from terminal_user where email = ?"  
                authorities-by-username-query="select email,user_role from terminal_user where email = ?" />
        </authentication-provider>
    </authentication-manager>

Now I want to add new column to terminal_user table. This column called prop_confirmed

I want to achieve that only user who has prop_confirmed as true can be log in.

Can you help me to achieve it?

Answer 1

One way you could do it is to hardcode the prop_confirmed condition in users-by-username-query . That way if user is not confirmed, it will be as if they don't exist and the authentication will fail:

select email,password,prop_was_moderated from terminal_user
    where email = ? AND prop_confirmed = TRUE

There are other (and possibly cleaner) solutions, such as customizing AuthenticationManager . Take a look at my SO answer regarding similar question for more detailed description of these options.