Tutorial :Spring security - Spring doesn't check on isAccountNonLocked for UserDetails on correct login


I'm using Spring 2.5.6 and Spring security 2.0.

For login attempts I implements the UserDetails class on my User class. So the User class implements isAccountNonLocked() after a wrong login (dispatch the AuthenticationFailureBadCredentialsEvent, I handle this with a Eventlistener) Spring called this function from my User class to check if account is locked. I implements this as follow:

public boolean isAccountNonLocked() {      if (this.getFailedLoginAttempts() >= MAX_FAILED_LOGIN_ATTEMPTS) {            return false;        }      return this.accountNonLocked;    }  

This work great with bad credentials, but when I filled in the correct credentials he never call this function. So if you fill in the correct credentials he doesn't check if the User is locked , so he always logged in even if failedLoginAttempts is higher than MAX_FAILED_LOGIN_ATTEMPTS or if the account is locked.

I even implements the AuthenticationSuccessEvent and if you fill in correct credentials he is handle this registerd eventlistener( doing some stuff to set failedLoginAttempts back to 0 after a good login )

Is this a bug in Spring 2.5.6? or is it something I forgot...


Solved the problem.

I implemented the function isAccountNonLocked in a Hibernate entity but my authenticationDao was a JBDC implementation instead of a HibernateDaoImpl. So after a custom implementation of UserDetails as HibernateDaoImpl the initial problem was solved.

public class HibernateDaoImpl extends HibernateDaoSupport implements UserDetailsService {      private         LoginDao        loginDao;      private         UserroleDao     userroleDao;          /* (non-Javadoc)       * @see org.springframework.security.userdetails.UserDetailsService#loadUserByUsername(java.lang.String)       */      public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {          UserDetails login = loginDao.getLogin(username);            return login;      }        /**       * Loads authorities by executing the authoritiesByUsernameQuery.       *         * @return a list of GrantedAuthority objects for the user       */      protected List loadUserAuthorities(String username) {          return userroleDao.list(username);      }        public void setLoginDao(LoginDao loginDao) {          this.loginDao = loginDao;      }        public void setUserroleDao(UserroleDao userroleDao) {          this.userroleDao = userroleDao;      }  }  

And in the XML:

<b:bean id="authenticationDao1" class="com.foo.support.HibernateDaoImpl" >  <b:property name="sessionFactory"><b:ref bean="sessionFactory"/></b:property>  <b:property name="loginDao"><b:ref bean="loginDao"/></b:property>  <b:property name="userroleDao"><b:ref bean="userroleDao"/></b:property>  

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »