How to check user details without log-in in Spring security

0
votes

How to check the userdetails before spring security authentication is takes place.

Here in my project during login i need to check the basic validations username/password exists , validity of username , max retry limit(5invalid entries after that block a/c) and show error based on the failure.

On correct username/password need to check whether user logging into application for first time (based on flag in db) ,if so need to display an disclaimer page[ to access the application the user should accept the disclaimer].

Here is the flow

username/pwd in form -> Submit ->check for valid credentials

--> No --> display error[update retry flag] --> yes -->check validity-->exceed->display error -->with in validity period-->check is first time(and disclaimer accepted) -->show app if disclaimer already accepted else show disclaimer page without logging into application

On I accept button login the user to application.

2
javaspringstruts2spring-security

2 Answers

0
votes

I don't think this will involve Spring security per se. In your action class just call a method that checks the DB. If they have been logged in before return to an action that redirects the user to whatever page is appropriate. If they have not, then send them to the disclaimer page.

When they submit the form for the disclaimer page, check for acceptance. If accepted, then update the DB and redirect them to the appropriate page. If not, display an error.

If I recall Spring security correctly, the acceptance page and the login page, etc. will not be secured, but other pages will be. So, like I said, I'm not sure that Spring is really involved. It is just a matter of correctly routing via your Struts actions which do all the work of looking up in the DB and routing.

0
votes

Basically, spring security takes care of it - but you can override it. This is just a simple example how i would do it:

  @Autowired
private AuthenticationManager authenticationManager;

 @RequestMapping(value = "/login", method = RequestMethod.POST)
public ResponseEntity<?> login(@RequestBody AuthenticationRequest authenticationRequest, Device device) throws AuthenticationException {

    // Perform the security
    final Authentication authentication = authenticationManager.authenticate(
            new UsernamePasswordAuthenticationToken(
                    authenticationRequest.getUsername(),
                    authenticationRequest.getPassword()
            )
    ); ...
}

AutheticationRequest is just a simple object with 2 Strings inside (username, password)

Bare in mind that this method throws AuthenticationException but you can also catch it in try/catch and do some logic on failed login.

Hope it helps.