Class LockoutAwareDaoAuthenticationProvider

java.lang.Object
io.leandev.appfuse.security.lockout.spring.LockoutAwareDaoAuthenticationProvider
All Implemented Interfaces:
org.springframework.security.authentication.AuthenticationProvider
public class LockoutAwareDaoAuthenticationProvider extends Object implements org.springframework.security.authentication.AuthenticationProvider

整合登入鎖定機制的 DaoAuthenticationProvider

包裝標準的 DaoAuthenticationProvider,在認證流程中加入鎖定檢查邏輯。

認證流程

  • 檢查帳號是否已鎖定 → 若是則拋出 LockedException
  • 委派給 DaoAuthenticationProvider 進行密碼驗證
  • 驗證成功 → 清除失敗記錄
  • 驗證失敗 → 記錄失敗次數,可能觸發鎖定

整合方式

@Bean
public AuthenticationManager authenticationManager(
        DaoAuthenticationProvider daoProvider,
        LoginAttemptTracker tracker) {
    LockoutAwareDaoAuthenticationProvider lockoutProvider =
        new LockoutAwareDaoAuthenticationProvider(daoProvider, tracker);
    return new ProviderManager(Arrays.asList(lockoutProvider, ...));
}

異常處理

  • LockoutException - 帳號已鎖定(包含剩餘時間和失敗次數)
  • BadCredentialsException - 密碼錯誤(附加失敗次數資訊)

  • Constructor Details

    • LockoutAwareDaoAuthenticationProvider

      public LockoutAwareDaoAuthenticationProvider(org.springframework.security.authentication.dao.DaoAuthenticationProvider delegate, LoginAttemptTracker tracker)
      建構整合鎖定機制的認證提供者
      Parameters:
      delegate - 原 DaoAuthenticationProvider
      tracker - 登入嘗試追蹤器

  • Method Details

    • authenticate

      public org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication) throws org.springframework.security.core.AuthenticationException
      Specified by:
      authenticate in interface org.springframework.security.authentication.AuthenticationProvider
      Throws:
      org.springframework.security.core.AuthenticationException

    • supports

      public boolean supports(Class<?> authentication)
      Specified by:
      supports in interface org.springframework.security.authentication.AuthenticationProvider