Forcing user to change expired password in spring security

Asked 12/12, 2011 at 5:9 Answered 17/1, 2013 at 16:6

I am building spring mvc and spring security based web based application.

I have implemented Reset Password functionality.System Administrator will reset password of any user .Random generated password will be emailed to user and same will be updated in database.

Now I want whenever user login with random generated password, i want to force user to change its password.

Please have a look to my user TABLE.

userid bigint(20)
username varchar(20)
password varchar(65)
email varchar(50)
firstname varchar(20)
lastname varchar(20)
groupname varchar(50)
enabled tinyint(1)
credentialsNonExpired tinyint(1)

MY Authentication Provider

    <!--
        Configuring Authentication Provider to make use of spring security
        provided Jdbc user management service
    -->
    <authentication-provider user-service-ref="jdbcUserService">
        <!--
            Configuring SHA-1 Password Encoding scheme to secure user credential
        -->
        <password-encoder ref="sha1PasswordEncoder" />
    </authentication-provider>
</authentication-manager>

I have used JDBCUserDetailsService extending JDBCDaoImpl as jdbcUserService.

I want to set credentialNonExpired to false column of my user table when I am resetting password.

I am able to do that.

But when i login, spring security JDBCuserdetailsservice loadUserbyUsername getting only username,password,enabled columns and rest of all fields set to true.

protected List<UserDetails> loadUsersByUsername(String username) {
    return getJdbcTemplate().query(usersByUsernameQuery, new String[] {username}, new RowMapper<UserDetails>() {
        public UserDetails mapRow(ResultSet rs, int rowNum) throws SQLException {
            String username = rs.getString(1);
            String password = rs.getString(2);
            boolean enabled = rs.getBoolean(3);
            return new User(username, password, enabled, true, true, true, AuthorityUtils.NO_AUTHORITIES);
        }

    });
}

But I want actual credentialNonExpired field which is set by reset password, so that spring security will throw CREDENTIALEXPIREDEXCEPTION.

I am achieving that by loading above method, but is there any other way to redirect user to change password page when they login with expired password.

Please tell me how can i do that ?

Irrelevant answered 12/12, 2011 at 5:9 Comment(0)

Quite late answer and I don't know if you're using Spring 2 or 3. But in Spring 3 you can do it this way.

Include the following in your Spring security context:

<bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
    <property name="exceptionMappings">
        <props>
            <prop key="org.springframework.security.authentication.CredentialsExpiredException">/change_password_page</prop>
        </props>
    </property>
    <property name="defaultFailureUrl" value="/login_generic_error_page"/>
</bean>

Of course you can map other specific authentication exceptions to other pages.

If you're using the form-login element, then you have to specify the authentication-failure-handler-ref attribute (and remove authentication-failure-url if used)

<security:form-login ... authentication-failure-handler-ref="securityExceptionTranslationHandler">

And final step is to create the change password page.

Keep in mind that the user is not authenticated when redirected to the change password page.

Nairn answered 17/1, 2013 at 16:6 Comment(4)

I'm working on a very similar problem and heading down this path as well... is there a recommendation on how best to handle the change password logic? Seems like trying to replicate all the normal "login" functionality (checking passwords, filling in SecurityContextHolder, returning error codes) could get tricky... – Appropriate 7/2, 2013 at 16:2

I'm working with JPA and models and I'm updating these directly without going through the entire Spring security cycle. It seemed to me as the fastest way. Of course after changing the password I redirect the user to the login page. – Nairn 7/2, 2013 at 20:31

Yeah, I think your way would have been faster :) Here is what I ended up doing - * UsernamePasswordResetAuthentication with username, password, and new password * Login page with new/confirm password fields when appropriate * Login filter that creates the right authentication object, based on the request * Custom AuthenticationProvider (already there for different reasons), extended to 1) authenticate with existing password, 2) update the stored password, and 3) re-authenticate with the new password. – Appropriate 8/2, 2013 at 15:51

That custom authentication provider is the big slice. But if you already have it there for other reasons ... – Nairn 8/2, 2013 at 21:49

You can try subclassing SimpleUrlAuthenticationSuccessHandler and implement custom logic for checking password expiry. The reference to this SimpleUrlAuthenticationSuccessHandler could be passed to the form-login element in the application context.

Manipulate answered 12/1, 2012 at 12:15 Comment(0)

Recommended topics

Hot tags