java - Spring Security: how to retrieve username to accessDeniedPage? -
i'm using spring security, html , thymeleaf , retrieve user has failed login. login has 2 step: first step checks if user , password correct ldap, second checks if user has role database. if both passed user authenticated. have registration page user has failed login (a precompiled input field). registration page accessdeniedpage. authentication:
public authentication authenticate(authentication authentication) throws authenticationexception { set<grantedauthority> authorities = new hashset<grantedauthority>(); string name = authentication.getname(); string password = authentication.getcredentials().tostring(); if (name == null || name.isempty() || password == null || password.isempty()) return null; boolean isfind = ldapservices.ldapsearch(name, password); if (isfind){ com.domain.user user = userservices.getbyusersenabled(name); if (user!=null){ authorities.add(new simplegrantedauthority("role_"+user.getrole().getrole())); } return new usernamepasswordauthenticationtoken(user, password, authorities); } else return null; }
and redirect is:
@override protected void configure(httpsecurity http) throws exception { list<role> roles=roleservices.getroles(); //retrieve array of roles(only string field without id) string[] rolesarray = new string[roles.size()]; int i=0; (role role:roles){ rolesarray[i++] = role.getrole(); } http .authorizerequests() //authorize request configuration //the "/register" path accepted without login .antmatchers("/registration/**").authenticated() //all path need authentication .anyrequest().hasanyrole(rolesarray)//.authenticated() .and()//login form configuration others .formlogin() .loginpage("/login") .permitall() .and() //redirect on page "registration" if user doens't exist in dart database .exceptionhandling().accessdeniedpage("/registration") .and() .logout() .logoutsuccessurl("/login?logout") .deletecookies("jsessionid", "jsessionid") .invalidatehttpsession(true) .permitall(); }
if add principal in /registration controller null. why? principal null, maybe wrong in authenticate method. furthermore may have problem security since registration web services not authenticated whereas should authenticated without role there possibility have registration page user fails login? thanks
i've changed row authenticate method:
return new usernamepasswordauthenticationtoken(user==null?new user(name,null,false):user, password, authorities);
user null because didn't exist database query return null object, instead have create user username.
Comments
Post a Comment