Spring boot security custom messages while user login

Question

I am trying to integrate spring security in my spring boot application.All working ok but how do I display a message if the account is expired or account is locked? Also, I do not want to display error message based on parm like http://localhost:8080/login?error

Here is my current code: login.html

        <div th:if="${param.error}" class="alert alert-danger">
            Invalid username or password.
        </div>


        <h3>Sign in to continue</h3>

        <form th:action="@{/login}" name="loginForm"  method="POST">
            <div class="form-group">
                <label for="userNameInput">Username</label>
                <input type="text" class="form-control" id="userNameInput" name="username" placeholder="Username" />
            </div>
            <div class="form-group">
                <label for="passwordInput">Password</label>
                <input type="password" class="form-control" id="passwordInput"  name="password" placeholder="Password"  />
            </div>

            <button type="submit" class="btn btn-success">Login</button>
        </form>

WebSecurityConfig.java

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Autowired
  private CustomUserDetailsService customUserDetailsService;

  @Override
  protected void configure(HttpSecurity http) throws Exception {

    http
            .authorizeRequests()
            .antMatchers("/", "/css/**", "/js/**","/login/**").permitAll()
            .anyRequest().authenticated()
            .and().formLogin().loginPage("/login").defaultSuccessUrl("/dashboard")
            .and().logout().logoutSuccessUrl("/");
  }

  @Autowired
  public void configAuthBuilder(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(customUserDetailsService).passwordEncoder(new BCryptPasswordEncoder());
  }

}

CustomUserDetailsService.java

@Service
public class CustomUserDetailsService implements UserDetailsService {

@Autowired
UserRepository userRepository;

@Override
@Transactional(readOnly = true)
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

    //query for user from DB
    User user = userRepository.findByUsername(username);


    if (user == null) {
        throw new UsernameNotFoundException(username);
    }

    Date today = new Date();

    //do check if account expired / suspended / deleted
    Boolean isAcconutExpired = false;
    Boolean status = false;

    if (user.getExpireOn() != null && today.before(user.getExpireOn())) {
        isAcconutExpired = false;
    }


    if(user.getStatus() == 1){
        status = true;
    }

    return new org.springframework.security.core.userdetails.User(user.getUsername(),
            user.getPassword(),
            status,
            !isAcconutExpired,
            true,
            true,
            getAuthorities(user));

}

private List<GrantedAuthority> getAuthorities(User user) {
    List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
    authorities.add(new SimpleGrantedAuthority("USER"));
    return authorities;
   }
}

UserRepository.java

@Repository
public interface UserRepository extends CrudRepository<User, Long> {
  User findByUsername(String username);
}

Answer 1

This message is a bit old, but I'm currently facing the same problem.

So, firstly, you have to create a custom instance of Authentication Provider to let HideUserNotFoundExceptions be passed to the controler:

public AuthenticationProvider daoAuthenticationProvider() {
    DaoAuthenticationProvider impl = new DaoAuthenticationProvider();
    impl.setUserDetailsService(customUserDetailsService);
    impl.setPasswordEncoder(new BCryptPasswordEncoder());
    impl.setHideUserNotFoundExceptions(false) ;
    return impl ;
}

Moreover, you should add this provider in the AuthenticationProviderBuilder, instead of adding customDetailService (adding customDetailService will add an other provider) :

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(daoAuthenticationProvider());

}

With this, you can now catch UserNotFoundException instead of basic BadCredentialsException .

So, it remains to display custom error message for these two exceptions. The Badcredentials exception is throw directly by SpringSecurity with an error message based on I18n message AbstractUserDetailsAuthenticationProvider.badCredentials (see the implementation in spring security here ):

throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));

Same for expiration and account locked. So I suggest you to change your CustomUserDetailsService.java class to do the same with a similar code error :

if (user == null) {
   throw new UsernameNotFoundException(SpringSecurityMessageSource.getAccessor().getMessage("AbstractUserDetailsAuthenticationProvider.UserUnknown",new Object[] {login},"User is not known"));
}

After this, you can add these lines in your message.properties :

AbstractUserDetailsAuthenticationProvider.UserUnknown = {0} was not found.
AbstractUserDetailsAuthenticationProvider.badCredentials = Password is bad
AbstractUserDetailsAuthenticationProvider.credentialsExpired = User credentials have expired
AbstractUserDetailsAuthenticationProvider.disabled = User is disabled
AbstractUserDetailsAuthenticationProvider.expired = User account has expired
AbstractUserDetailsAuthenticationProvider.locked = User account is locked

And display error message in login.html :

            <div class="dialog-row">
                <label th:if="${param.error}" th:text="${session['SPRING_SECURITY_LAST_EXCEPTION'].message}" class="text-center redText">Mot de passe inconnu</label>                   
            </div>