Monday, 15 March 2010

Spring Security: AuthenticationFailureCredentialsExpiredEvent not fired -



Spring Security: AuthenticationFailureCredentialsExpiredEvent not fired -

i using spring.security.version = 3.1.0.release. problem having reason authenticationfailurecredentialsexpiredevent not fired.

while debugging code found abstractuserdetailsauthenticationprovider display in console "user business relationship credentials have expired". still baffling why event in concern not triggered.

here code:

class jpauserdetails implements userdetails { ... ... @override public boolean iscredentialsnonexpired() { if (some logic) { homecoming true; } else { homecoming false; } } }

i see abstractuserdetailsauthenticationprovider displaying in console "user business relationship credentials have expired" next lines of spring code:

public abstract class abstractuserdetailsauthenticationprovider implements authenticationprovider, initilizebean, messagesourceaware { ... ... private class defaultpostauthenticationchecks implements userdetailschecker { public void check(userdetails user) { if(!user.iscredentialsnonexpired()) { logger.debug("user business relationship credentials have expired"); throw new credentialsexpiredexception(message.getmessage( "abstractuserdetailsauthenticationprovider.credentialsexpired", "user credentials have expired"), user); } } } }

the issue when user credentials have expired, expecting spring generate event authenticationfailurecredentialsexpiredevent handling in next way:

class securityeventdispatcher implements applicationlistener<applicationevent> { final list<securityeventlistener> listeners = new arraylist<securityeventlistener>(); public void registerlistener(securityeventlistener listener) { this.listener.add(listener); } public void onapplicationevent(applicationevent event) { (securityeventlistener listener : this.listeners) { if(listener.canhandle(event)) { listener.handle(event); } } } }

this how handling login failure event:

public class loginfailedevent extends securityeventlistener { @override public boolean canhandle(object event) { if(event instanceof abstractauthenticationfailureevent) { homecoming true; } else { homecoming false; } } @override public void handle(object event) { if (event instanceof authenticationfailurebadcredentialsevent) { // } if (event instanceof authenticationfailurecredentialsexpiredevent) { // } } }

the issue mentioned before authenticationfailurecredentialsexpiredevent never fired. have tested authenticationfailurebadcredentialsevent works fine.

this in event bad credentials: (which working fine)

org.springframework.security.authentication.event.authenticationfailurebadcredentialsevent

this in event expired password:

servletrequesthandledevent: url=[/app/loginfailure] failurecause = null

does have thought wrong? help highly appreciated.

here reply question, since there isn't much literature out there regarding issue.

you need set providermanager's ('s) eventpublisher other nulleventpublisher. there not simple way via tag, want create authenticationprovider using standard beans configuration , inject standard spring bean providermanager.

rob winch - spring security lead

spring spring-security

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)