
Question:
I'm using Spring 2.5.6 and Spring security 2.0.
For login attempts I implements the UserDetails class on my User class. So the User class implements isAccountNonLocked()
after a wrong login (dispatch the AuthenticationFailureBadCredentialsEvent
, I handle this with a Eventlistener
) Spring called this function from my User class to check if account is locked. I implements this as follow:
public boolean isAccountNonLocked() { if (this.getFailedLoginAttempts() >= MAX_FAILED_LOGIN_ATTEMPTS) { return false; } return this.accountNonLocked; }
This work great with bad credentials, but when I filled in the correct credentials he never call this function. So if you fill in the correct credentials he doesn't check if the User is locked , so he always logged in even if failedLoginAttempts
is higher than MAX_FAILED_LOGIN_ATTEMPTS
or if the account is locked.
I even implements the AuthenticationSuccessEvent
and if you fill in correct credentials he is handle this registerd eventlistener( doing some stuff to set failedLoginAttempts back to 0 after a good login )
Is this a bug in Spring 2.5.6? or is it something I forgot...
Solution:1
Solved the problem.
I implemented the function isAccountNonLocked
in a Hibernate
entity but my authenticationDao
was a JBDC implementation instead of a HibernateDaoImpl
. So after a custom implementation of UserDetails as HibernateDaoImpl
the initial problem was solved.
public class HibernateDaoImpl extends HibernateDaoSupport implements UserDetailsService { private LoginDao loginDao; private UserroleDao userroleDao; /* (non-Javadoc) * @see org.springframework.security.userdetails.UserDetailsService#loadUserByUsername(java.lang.String) */ public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { UserDetails login = loginDao.getLogin(username); return login; } /** * Loads authorities by executing the authoritiesByUsernameQuery. * * @return a list of GrantedAuthority objects for the user */ protected List loadUserAuthorities(String username) { return userroleDao.list(username); } public void setLoginDao(LoginDao loginDao) { this.loginDao = loginDao; } public void setUserroleDao(UserroleDao userroleDao) { this.userroleDao = userroleDao; } }
And in the XML:
<b:bean id="authenticationDao1" class="com.foo.support.HibernateDaoImpl" > <b:property name="sessionFactory"><b:ref bean="sessionFactory"/></b:property> <b:property name="loginDao"><b:ref bean="loginDao"/></b:property> <b:property name="userroleDao"><b:ref bean="userroleDao"/></b:property>
Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
EmoticonEmoticon