tags:

views:

419

answers:

2
+1  Q: 

Spring Security Custom Filter (Change Password)

Hi,

I'm using Spring Security for securing HTTP requests to a website. The primary usage is for securing pages such that the user is redirected to the login page when trying to access those pages.

However, I have a further requirement. In my model, I can flag a user's password as being temporary such that, when they successfully login, they should be automatically forced to change their password. Once the password is changed, they should then be forwarded on to the page they were originally trying to access.

Has anyone used Spring Security for this purpose? Do I need to create my own custom filter?

Thanks,

Andrew

+1  A: 

In Spring Security 3.0 you can implement a custom AuthenticationSuccessHandler.

In this handler you can redirect a user with temporary password to the password change page instead of the originally requested page. After password is changed, you may redirect user to the originally requested page using SavedRequestAwareAuthenticationSuccessHandler, which is the default handler implementation.

public class MyHandler implements AuthenticationSuccessHandler {
    private AuthenticationSuccessHandler target = new SavedRequestAwareAuthenticationSuccessHandler();

    public void onAuthenticationSuccess(HttpServletRequest request,
        HttpServletResponse response, Authentication auth) {
        if (hasTemporaryPassword(auth)) {
            response.sendRedirect("/changePassword");
        } else {
            target.onAuthenticationSuccess(request, response, auth);
        }
    }

    public void proceed(HttpServletRequest request, 
        HttpServletResponse response, Authentication auth) {
        target.onAuthenticationSuccess(request, response, auth);
    }
}

@Controller("/changePassword")
public class ChangePasswordController {

    @Autowired
    private MyHandler handler;

    @RequestMapping(method = POST)
    public void changePassword(HttpServletRequest request, 
        HttpServletResponse response,
        @RequestParam(name = "newPassword") String newPassword) {

        // handle password change
        ...

        // proceed to the secured page
        handler.proceed(request, response, auth);        
    }

    // form display method, etc
    ...
}
axtavt  2010-07-26 14:41:26
Thanks for this. I can do the first part pretty easily but not sure what you mean by "redirect user to...using SavedRequestAwareAuthenticationSuccessHandler". How do I redirect to a handler?
drewzilla  2010-07-26 15:35:00
@dewzilla: I added the sample of how it might look like (with Spring MVC controller for password change, not tested).
axtavt  2010-07-26 16:49:05
A: 

Yes, I did this with a filter ForceChangePasswordFilter. Because if the user types the url by hand they can bypass the change password form. With the filter the request always get intercepted.

rodrigoap  2010-07-26 19:57:15

related questions

Java Frameworks War: Spring and Hibernate
Does having many unused beans in a Spring Bean Context waste significant resources?
Internationalization sitemesh
What are the best books for Spring and Spring MVC?
Can I compose a Spring Configuration File from smaller ones?
How do you maintain java webapps in different staging environments?
Best resources to prepare for the "Spring Framework Certification"
What is the best documentation for snapshots and flow repositories in Spring Web Flow?
How do you authenticate against an Active Directory server using Spring Security?
Where can I find a good introductory tutorial for Spring?
JPA Multiple Transaction Managers
Map of Enums and dependency injection in Spring 2.5
Should I use EJB3 or Spring for my business layer?
How do I register a custom type converter in Spring?
Accessing a bean with a dot(.) in its ID
How do I create a spring bean for a Java double primitive?
Validation framework for business app built on Spring 2.5
Some Tomcat webapps not opening
How do I return a 403 Forbidden in Spring MVC?
Aspectj doesn't catch all events in spring framework?
How do you use WebServiceMessageDrivenBean in Spring-WS?
Template Engines for Spring Framework
What's the best way to get started with OSGI?
What OSS project should I look at if I need to do Spring friendly WorkFlow?
What's your "best practice" for the first Java EE Spring project?