Create Account, Forgot Password and Change Password

Asked 9/5, 2014 at 10:25 Answered 23/10, 2016 at 18:43

Solved spring authentication registration forgot-password change-password

Spring Security is great when the developer wants to secure his web app.

However, what about creating the account? and "forgot password"? most login pages have these links as well as the username and password fields. Spring's default login-page does not have these links... in the good case, it can support "remember me"...

Does Spring supports these flows, of Create Account, Forgot Password and Change Password? If the answer is yes, can you please point me to some documentations?

I've searched this issue but could not find anything.

Thanks!

Jacintha answered 9/5, 2014 at 10:25 Comment(6)

I think the answer is no. Because these actions are not generic actions, they differ from one application to another. How does will spring know what fields are required in your registration form? or how you want to recover password? (via email. sms, etc..) – Johnathan 9/5, 2014 at 12:43

I understand; but i thought maybe there is something generic that is customizable and extensible (like all other Spring projects...) – Jacintha 9/5, 2014 at 14:29

It's not so difficult to implement. Create account is a basic form. I've implement both 2 in my project and had no difficulty. To recover password I send an email to the user with an uniqueId (java.sun.com/javase/6/docs/api/java/util/UUID.html) and I have a controller that check that Id and if it's valid (stored in my user_request table) I forward the user to a page where he will define a new password, since the original password is encrypted. – Johnathan 9/5, 2014 at 21:6

@luizcarlosfx: "It's not so difficult to implement" - but you have to make sure you take care of all cases. e.g. what happens if a user tries to create account that is already exists? what happens if a user tries to create account that is already exists but inactive? what about the policy of the password? (too long/too short/how many capital etc) what about sending the email with the activation link to the user? what about the controller that will receive the click on the link and activate the account? and more and more... there is a lot of code to write, my friend. – Sympathy 10/5, 2014 at 13:38

I cared about everything and I still saying that it's not so difficult. Spring offers a lot of cool features that makes it easy. First of all use hibernate validator to validate your user(check password size, username size and whatever you want), to check if a username exist I do ajax requests that check on database if the username is already used or if the user is disabled. Validate the email is very similar to recover password request. I just store a request code in the database in my user_request table and I have dedicated controllers for check the validity of these codes. – Johnathan 10/5, 2014 at 14:44

Spring mail makes ease the action of sending emails. I send an email a link like this: http:localhost:8080/confirm-account?confirmation-code=56b823db-2975-490e-8795-9564f0742b9f – Johnathan 10/5, 2014 at 14:45

You are completely right. AFAIK there is no "generic" package that implements these flows. I've searched a lot for this kind of code a while ago, and found nothing. I think that @luizcarlosfx is right, that each application has its own needs, therefore it is hard to write something generic that fits all needs.

EDIT: I saw comments like "It's not so difficult to implement". True. But you have to make sure you take care of all cases. For example, what happens if a user tries to create account that is already exists? what happens if a user tries to create account that is already exists but inactive? what about the policy of the password? (too long/too short/how many capital etc) what about sending the email with the activation link to the user? how fo you create this link? how do you encrypt it? what about the controller that will receive the click on the link and activate the account? and more and more...

However, I took it a step forward and tried to code something that will answer most flows - registration, forgot-password, change password etc, and something that will be secured enough so applications will be able to use it without the fear that it will be easily hacked.

I have implemented a JAVA project for this use case. It is open source, based on Spring-Security. A release version is on Maven-Central, so you do not need to compile it, but instead you can fetch it as maven-dependency to your project!

<dependency>
    <groupId>com.ohadr</groupId>
    <artifactId>authentication-flows</artifactId>
    <version>1.5.0-RELEASE</version>
</dependency>

I think it answers your question...

There are explanations for everything (and if something is missing - let me know...)

You can find here an example for a client application's code (i.e. the usage).

This is the main page of the project plus a demo. This is a client web-app that uses the auth-flows, with the README with all explanations.

Hope that helps!

Sympathy answered 9/5, 2014 at 14:59 Comment(5)

looks good! cool! however, all form (and beans.xml) are in the client side, so the client still has to add stuff... – Jacintha 10/5, 2014 at 7:45

thanks :-) of course, the UI forms are something that each app wants it differently. so there is really no point to try and generalize the form. however, I have documented what fields should appear in these forms. – Sympathy 10/5, 2014 at 17:36

@DirkConradCoetsee thanks! did you try it? do you use it in your app? i'm curious... – Sympathy 12/9, 2014 at 14:38

Hi, I am busy trying it. Struggling a bit to implement it. Can I get in contact with you regarding some details? It contains literally everything I need. – Insight 12/9, 2014 at 14:41

sure. you can post here in SO your question(s), and tag them with authentication-flows – Sympathy 16/4, 2015 at 12:47

I think appfuse is a tool for what you want. This lines are from it's documentation:

AppFuse comes out of the box with features that many applications need, including:

Authentication and authorization
User management
Remember Me (which saves your login information so you don't have to log in every time)
Password reminder
Signup and registration
SSL switching
E-mail
Extension-less URLs File upload
Generic CRUD backend
Full Eclipse, IDEA and NetBeans support
Fast startup and no deploy with Maven Jetty Plugin
Testable on multiple appservers and databases with Cargo and profiles

Hyacinthhyacintha answered 23/10, 2016 at 18:43 Comment(0)

Recommended topics

Hot tags