Question

我有以下spring security config：

<http auto-config="true" authentication-manager-ref="userAuthenticationManager">
        <form-login login-page="/" 
            default-target-url="/member/personalAccount"
            authentication-failure-url="/loginfailed" authentication-success-handler-ref="authSuccessHandler" />

        <!-- <intercept-url pattern="/common/*" filters="none" /> -->
        <intercept-url ..../>
        <logout logout-url="/logout" logout-success-url="/" />
        <port-mappings>
         <port-mapping http="${http.port}" https="${https.port}"/>
        </port-mappings>
    </http>

    ....


    <authentication-manager alias="userAuthenticationManager">
        <!-- <authentication-provider user-service-ref="userSecurityService"> -->
        <authentication-provider>
            <password-encoder ref="encoder" />
            <jdbc-user-service data-source-ref="dataSource" 
                users-by-username-query="select email,password,prop_was_moderated from terminal_user where email = ?"  
                authorities-by-username-query="select email,user_role from terminal_user where email = ?" />
        </authentication-provider>
    </authentication-manager>

现在我想在terminal_user表中添加新列。此列名为prop_confirmed

我想实现只有prop_confirmed为true的用户才能登录。

你能帮我实现吗？

Answer 1

您可以采用的一种方法是在prop_confirmed中对users-by-username-query条件进行硬编码。这样，如果用户未被确认，那就好像它们不存在并且身份验证将失败：

select email,password,prop_was_moderated from terminal_user
    where email = ? AND prop_confirmed = TRUE

还有其他（可能更清晰）的解决方案，例如自定义AuthenticationManager。有关这些选项的详细说明，请查看我的SO answer类似问题。

春天的安全。为用户登录添加限制

1 个答案: