Forcing user to change expired password in spring security

Question

I am building spring mvc and spring security based web based application.

I have implemented Reset Password functionality.System Administrator will reset password of any user .Random generated password will be emailed to user and same will be updated in database.

Now I want whenever user login with random generated password, i want to force user to change its password.

Please have a look to my user TABLE.

userid bigint(20)
username varchar(20)
password varchar(65)
email varchar(50)
firstname varchar(20)
lastname varchar(20)
groupname varchar(50)
enabled tinyint(1)
credentialsNonExpired tinyint(1)

MY Authentication Provider

    <!--
        Configuring Authentication Provider to make use of spring security
        provided Jdbc user management service
    -->
    <authentication-provider user-service-ref="jdbcUserService">
        <!--
            Configuring SHA-1 Password Encoding scheme to secure user credential
        -->
        <password-encoder ref="sha1PasswordEncoder" />
    </authentication-provider>
</authentication-manager>

I have used JDBCUserDetailsService extending JDBCDaoImpl as jdbcUserService.

I want to set credentialNonExpired to false column of my user table when I am resetting password.

I am able to do that.

But when i login, spring security JDBCuserdetailsservice loadUserbyUsername getting only username,password,enabled columns and rest of all fields set to true.

protected List<UserDetails> loadUsersByUsername(String username) {
    return getJdbcTemplate().query(usersByUsernameQuery, new String[] {username}, new RowMapper<UserDetails>() {
        public UserDetails mapRow(ResultSet rs, int rowNum) throws SQLException {
            String username = rs.getString(1);
            String password = rs.getString(2);
            boolean enabled = rs.getBoolean(3);
            return new User(username, password, enabled, true, true, true, AuthorityUtils.NO_AUTHORITIES);
        }

    });
}

But I want actual credentialNonExpired field which is set by reset password, so that spring security will throw CREDENTIALEXPIREDEXCEPTION.

I am achieving that by loading above method, but is there any other way to redirect user to change password page when they login with expired password.

Please tell me how can i do that ?

Answer 1

Quite late answer and I don't know if you're using Spring 2 or 3. But in Spring 3 you can do it this way.

Include the following in your Spring security context:

<bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
    <property name="exceptionMappings">
        <props>
            <prop key="org.springframework.security.authentication.CredentialsExpiredException">/change_password_page</prop>
        </props>
    </property>
    <property name="defaultFailureUrl" value="/login_generic_error_page"/>
</bean>

Of course you can map other specific authentication exceptions to other pages.

If you're using the form-login element, then you have to specify the authentication-failure-handler-ref attribute (and remove authentication-failure-url if used)

<security:form-login ... authentication-failure-handler-ref="securityExceptionTranslationHandler">

And final step is to create the change password page.

Keep in mind that the user is not authenticated when redirected to the change password page.

Answer 2

You can try subclassing SimpleUrlAuthenticationSuccessHandler and implement custom logic for checking password expiry. The reference to this SimpleUrlAuthenticationSuccessHandler could be passed to the form-login element in the application context.