3

I am using the Spring Security plugin and the Spring Security REST plugin for a Grails application and trying to implement a password change policy. On the front-end, our application is catching the 401 error when you're not logged in, but the case where your password has expired gives exactly the same HTTP response. I'm looking to see if there's a way to change it.

I can catch the AbstractAuthenticationFailureEvent and figure out if it was due to an AuthenticationFailureCredentialsExpired event, but I don't know how to get that event to send anything meaningful out of the API that indicates that this wasn't just a failed password login.

As an aside, I can expire passwords and enforce that policy, so that's not the issue. The primary issue is how a consumer of this API can differentiate between a failed username/password challenge and a "you need to change your password" scenario.

dudemonkey
  • 1,091
  • 5
  • 15
  • 26

2 Answers2

2

find LoginController.groovy

Here is the relevant code authfail method

        Exception exception = session[WebAttributes.AUTHENTICATION_EXCEPTION]
        if (exception) {
            if (exception instanceof AccountExpiredException) {
                msg = g.message(code: "springSecurity.errors.login.expired")
            } else if (exception instanceof CredentialsExpiredException) {
                msg = g.message(code: "springSecurity.errors.login.passwordExpired")
            } else if (exception instanceof DisabledException) {
                msg = g.message(code: "springSecurity.errors.login.disabled")
            } else if (exception instanceof LockedException) {
                msg = g.message(code: "springSecurity.errors.login.locked")
            } else {
                msg = g.message(code: "springSecurity.errors.login.fail")
            }
        }
Neoryder
  • 897
  • 2
  • 13
  • 26
1

I found a solution based on Burt Beckwith's response to this post: Grails Spring Security Login/Logout Controllers not generated

The spring security REST plugin has a class called RestAuthenticationFailureHandler which I copied into my project and rewrote. When the onAuthenticationFailure method is called, I check to see if the type of the error is org.springframework.security.authentication.CredentialsExpiredException and, if it is, I emit a more appropriate HTTP status code than the preconfigured one.

Community
  • 1
  • 1
dudemonkey
  • 1,091
  • 5
  • 15
  • 26