spring security 密码过期强制修改密码

• 定义认证失败处理器处理CredentialsExpiredException密码过期异常

public class AuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
    protected Logger logger = LoggerFactory.getLogger(this.getClass());

    public AuthenticationFailureHandler() {
        super("/login?error");
    }

    @Override
    public void onAuthenticationFailure(HttpServletRequest req, HttpServletResponse res, AuthenticationException ex) throws IOException, ServletException {
        if (ex instanceof CredentialsExpiredException) {
        	// 保存异常信息到会话属性，供页面显示
            saveException(req, ex);
            String userName = req.getParameter("username");
            // 跳转到修改密码页面
            res.sendRedirect("/changepassword?error&username=" + userName);
        } else {
        	// 其他错误使用默认处理
            super.onAuthenticationFailure(req, res, ex);
        }
    }
}

• 修改WebSecurity配置

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
	@Override
    protected void configure(HttpSecurity http) throws Exception {
    	...
    	http.formLogin().loginPage("/login")
    			// 注册认证失败处理器
                .failureHandler(new AuthenticationFailureHandler())
        ...
        http.authorizeRequests()
        		// 设置修改密码端点无需授权访问
                .antMatchers("/changepassword").permitAll()
    	...
    }
...
}

• 定义修改密码端点

@Controller
public class ChangePasswordController {
	@Autowired
	private UserService userService;
	// 修改密码页面
	@GetMapping("/changepassword")
	public ModelAndView changepassword(String username) {
		ModelAndView mv = new ModelAndView("changepassword");
		mv.getModel().put("username", username);
		return mv;
	}

	// 修改密码
	@PostMapping("/changepassword")
	public void changepassword(String username, String oldPassword, String newPassword, HttpServletRequest request, HttpServletResponse res) throws IOException {
		try {
			userService.changePassword(username, oldPassword, newPassword);			
			// 修改成功跳转到登陆页面			
			request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, new AuthenticationException("密码修改成功，请重新登陆"));
			res.sendRedirect("/login");
		} catch (Exception e) {
			// 修改失败返回错误信息
			request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, e);
			res.sendRedirect("/changepassword?error");
		}
	}
}

• 定义修改密码页面

<!-- 显示错误信息 -->
<div class="alert alert-danger" role="alert"
                 th:text="${session.SPRING_SECURITY_LAST_EXCEPTION.getMessage()}"
                 th:if="${session.SPRING_SECURITY_LAST_EXCEPTION!=null}"></div>
<!-- 修改密码表单 -->
<form class="form-signin" method="post" action="/changepassword"
      onsubmit='return checkForm()'>
    <input type="text" id="username" name="username"
           class="form-control" placeholder="用户名" required th:value="${username}">
    <input type="password" id="oldPassword" name="oldPassword"
           class="form-control" placeholder="原密码" required>
    <input type="password" id="newPassword" name="newPassword"
           class="form-control" placeholder="新密码" required>
    <button class="btn btn-lg btn-primary btn-block" type="submit">确认修改</button>
</form>