I'm using Spring Security for securing HTTP requests to a website. The primary usage is for securing pages such that the user is redirected to the login page when trying to access those pages.
However, I have a further requirement. In my model, I can flag a user's password as being temporary such that, when they successfully login, they should be automatically forced to change their password. Once the password is changed, they should then be forwarded on to the page they were originally trying to access.
Has anyone used Spring Security for this purpose? Do I need to create my own custom filter?
Thanks,
Andrew
Spring security provides few options to register the custom filter. We can use one of them based on our requirement. addFilterAfter(filter, class)–Adds a filter after the position of the specified filter class. addFilterBefore(filter, class)–Filter before the position of the specified filter class.
From Spring Boot 2.7, WebSecurityConfigurerAdapter is deprecated. In this tutorial, I will show you how to update your Web Security Config class in Spring Security without the WebSecurityConfigurerAdapter example.
Spring Security provides password encoding feature using the PasswordEncoder interface. It's a one way transformation, means you can only encode the password, but there is no way to decode the password back to the plaintext form.
In Spring Security 3.0 you can implement a custom AuthenticationSuccessHandler
.
In this handler you can redirect a user with temporary password to the password change page instead of the originally requested page. After password is changed, you may redirect user to the originally requested page using SavedRequestAwareAuthenticationSuccessHandler
, which is the default handler implementation.
public class MyHandler implements AuthenticationSuccessHandler {
private AuthenticationSuccessHandler target = new SavedRequestAwareAuthenticationSuccessHandler();
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication auth) {
if (hasTemporaryPassword(auth)) {
response.sendRedirect("/changePassword");
} else {
target.onAuthenticationSuccess(request, response, auth);
}
}
public void proceed(HttpServletRequest request,
HttpServletResponse response, Authentication auth) {
target.onAuthenticationSuccess(request, response, auth);
}
}
@Controller("/changePassword")
public class ChangePasswordController {
@Autowired
private MyHandler handler;
@RequestMapping(method = POST)
public void changePassword(HttpServletRequest request,
HttpServletResponse response,
@RequestParam(name = "newPassword") String newPassword) {
// handle password change
...
// proceed to the secured page
handler.proceed(request, response, auth);
}
// form display method, etc
...
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With