Announcement Announcement Module
Collapse
No announcement yet.
How to handle exceptions thrown by Spring Security Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to handle exceptions thrown by Spring Security

    I am using Spring Security for a project but I need to figure out how to display a custom message if the user's
    account is disabled.

    Currently when authentication fails I can only see the a boolean value that indicates if the authentication worked or failed.
    Is there a way to get more details eg .. the authentication passed but the account is locked.

    I have provided our configuration details below.


    My login Controller:


    Code:
    @RequestMapping("/auth")
    public class LoginController {
    
    	@RequestMapping(value = "/login", method = RequestMethod.GET)
    	public String getLoginPage(@RequestParam(value="error", required=false) boolean error,
    			ModelMap model) {
    		
    		if (error == true) {
    
    			//HOW DO I PROVIDE A CUSTOM ERROR MESSAGE?
    			model.put("error", "You have entered an invalid username or password!");
    		}


    The following entries have been added to pplication web.xml:

    Code:
    	
    <context-param>
    		<param-name>contextConfigLocation</param-name>
    		<param-value>
    			/WEB-INF/spring/root-context.xml
    			/WEB-INF/spring/spring-security.xml
    		</param-value>
    	</context-param>
    
    	<!-- Create the Spring security filter -->
    	<filter>
    		<filter-name>springSecurityFilterChain</filter-name>
    		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    	</filter>
    
    	<filter-mapping>
    		<filter-name>springSecurityFilterChain</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    the spring-security.xml:

    Code:
    <security:form-login
    				login-page="/auth/login" 
    				authentication-failure-url="/auth/login?error=true" 
    				default-target-url="/dashboard"/>
    			
    		<security:logout 
    				invalidate-session="true" 
    				logout-success-url="/auth/login" 
    				logout-url="/auth/logout"/>
    	
    	</security:http>
    	
    	<!-- Declare an authentication-manager to use a custom userDetailsService -->
    	<security:authentication-manager>
    	        <security:authentication-provider user-service-ref="loginService">
    	        </security:authentication-provider>
    	</security:authentication-manager>
    
    	<!-- A custom service where Spring will retrieve users and their corresponding access levels  -->
    	<bean id="loginService" class="com.xxx.myapp.security.LoginService"/>
    -----------------------

    Our custom LoginService class

    Code:
    public class LoginService implements UserDetailsService {
    
    public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException, DataAccessException {
    
    		// Declare a null Spring User
    		UserAuthorization user = null;
    
    		try {
    
    			com.my.User dbUser = userDao.findByEmail(email);
    
    
    			user = new UserAuthorization(dbUser.getUserEmail(), dbUser.getName(), dbUser
    					.getPassword().toLowerCase(), true, true, true, true,
    					getAuthorities(dbUser.getRole()));
    		} catch (Exception e) {
    			throw new UsernameNotFoundException("Error in retrieving user");
    		}
    
    		return user;
    	}
    
    	public Collection<GrantedAuthority> getAuthorities(String role) {
                              .... 
    		// Return list of granted authorities
    		return authList;
    	}
    
    }



    Please let me know if you need any more information

    Thanks in advance

  • #2
    By default Spring Security will store the last exception in session with the attribute SPRING_SECURITY_LAST_EXCEPTION. Take a look at the sample applications (i.e. the contacts sample) if you would like an example of how to use this.

    Comment


    • #3
      Thanks a lot! That is what I was looking for ...

      Comment


      • #4
        helpful post ..thanks

        Comment


        • #5
          Is it possible to check user status on every request, and store Exception to session by default? I see it possible only during authentication. Could you help me, p

          Comment

          Working...
          X