0

I am attempting to generate an error message for users that are currently not validated. These users should get an message, which is shown at /login?error. It already goes to this url when the user authentication goes wrong, but this is obviously done in the authentication success handler. This is the success handler:

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {

        super.onAuthenticationSuccess(request, response, authentication);
    }
}

How would I go about still returning to an error page when the authentication is successful, but the user is set on inactive? I assume it should be done in this function. All help is welcome!

EDIT: The idea is to check users for their active status. Each user has a field 'active' in the database, which will be set true by an admin. How spring is currently configured, is that the onAuthenticationSuccess handler will be called, since the credentials are good. I actually want to reject the user from logging in when the user has active = false

M. Deinum
  • 115,695
  • 22
  • 220
  • 224
dnsko
  • 1,017
  • 4
  • 17
  • 29
  • What do you mean by "users that are currently not validated"? – VHS Apr 04 '17 at 19:41
  • @VHS Users have a field which states if they are validated or not. I can just access this as user.getActive() and get either true or false. The credentials to log in will work just fine, as this is handled just by standard security. I actually want to direct them to an error page when the user active status is false. I am a novice Java/Spring user, so there might be a solution already : – dnsko Apr 04 '17 at 19:44
  • Session is authenticated in `org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#attemptAuthentication`. – Oleksandr Bondarchuk Apr 04 '17 at 19:55
  • 1
    Are you not using Spring Security? If you are, there's a built-in field for disabling user accounts. – chrylis -cautiouslyoptimistic- Apr 04 '17 at 20:07
  • @chrylis I am, but I'm just not at all familiar with Java/Spring yet. It's only a question of checking the user.getActive() and returning to something like `/login?error`. I'm not aware of any existing functions for this – dnsko Apr 04 '17 at 20:11
  • I suggest you use authentication manager. See [Custom Authentication Manager with Spring Security and Java Configuration](http://stackoverflow.com/questions/31826233/custom-authentication-manager-with-spring-security-and-java-configuration) – Oleksandr Bondarchuk Apr 04 '17 at 20:12
  • 1
    The `UserDetails` interface has a flag for disabling accounts, which is automatically handled by the standard Spring Security components. – chrylis -cautiouslyoptimistic- Apr 04 '17 at 20:25
  • 1
    Spring Security does that by default... If that isn't working you have bypassed parts of Spring Security that you shouldn't have bypassed. – M. Deinum Apr 05 '17 at 07:11

0 Answers0