Home/ Questions/Q 8704045
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T02:59:56+00:00

I’ve subclassed org.springframework.security.core.userdetails.User and in my constructor I call: Super (String username, String password,

  • 0

I’ve subclassed org.springframework.security.core.userdetails.User and in my constructor I call:

Super (String username,
        String password,
        boolean enabled,
        boolean accountNonExpired,
        boolean credentialsNonExpired,
        boolean accountNonLocked,
        GrantedAuthority[] authorities)

I then use ${SPRING_SECURITY_LAST_EXCEPTION.message} to display the result when login fails.

The problem I have is that if I set accountNotLocked to false then the account locked error message is displayed and this happens whether or not the password is correct. I would far prefer it if spring validated credentials first and then enabled, accountNonExpired, credentialsNonExpired and accountNonLocked flags. This way a user would only be notified that their account was locked if they got the credentials right.

Is there a way to force spring to do this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I assume you’re using most popular DaoAuthenticationProvider and that the problem is in UserDetailsChecker default implementations in this class. That said, moving all checks after DaoAuthenticationProvider.additionalAuthenticationChecks should be enough to solve your problem. Try following config:

    <authentication-manager alias="authenticationManager">
  <authentication-provider ref="daoAuthenticationProvider" />
</authentication-manager>

<bean id="daoAuthenticationProvider"
      class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
  <property name="userDetailsService" ref="userDetailsService"/>
  <property name="passwordEncoder" ref="passwordEncoder"/>
  <property name="preAuthenticationChecks"
      class="com.example.NullUserDetailsChecker"/>
  <property name="postAuthenticationChecks"
      class="org.springframework.security.authentication.AccountStatusUserDetailsChecker"/>
</bean>

    where com.example.NullUserDetailsChecker is null object pattern implementation of UserDetailsChecker (has void check method which does nothing).

    • 0