Spring Security 3.1.1 - Customizing Login Success problems

Question

I'm new to Spring Security and I've been reading the API and the Javadocs and I believe I need help regarding my issue.

So far, based from trial and error, what I've observed was throwing an exception prompts the authenticate method to automatically redirect to the Login Failure Handler. From there, it was easy redirecting and customizing the flow of the failed authentication. However, when it comes to logging in successfully, I can't seem to pass anything to the Login Success Handler other than the HttpServletRequest, HttpServletResponse, Authentication objects.

My login success has two scenarios:

1. Logging in successfully.

2. New user logging in should be redirected to the change password page.

Here are some questions:

1. Is it okay to call request.setParameter("status", "FOR_CHANGE_PASSWORD") in this case? Is it safe?

2. Should I add a "CHANGE_PASSWORD" authority? Is this good practice?

My problem is that I do not want to call the userService method in my LoginAuthenticator then call it again on my Login Success Handler just to retrieve the status of the user. Any work arounds?

public class LoginAuthenticator implements AuthenticationProvider{
private static final Logger log = LoggerFactory.getLogger(LoginAuthenticator.class);
private static final List<GrantedAuthority> AUTHORITIES = new ArrayList<GrantedAuthority>();
@Autowired
UserService userService;

@Override
public Authentication authenticate(Authentication authentication)
        throws AuthenticationException {
    log.info("Authenticating...");   

    log.debug("Username: {}" , authentication.getPrincipal());
    log.debug("Password: {}" , (String) authentication.getCredentials()); 


    WSResponse response = userService.authenticateLogin(username, password);


    //User log-in failure
    if(response.getResponseCode != 200){  

          if(response.getResponseStatus.equals("BAD CREDENTIALS")){
             throw new BadCredentialsException("Bad Credentials");  
          }
          else{
             throw new AccountStatusException("Account is locked")
          } 
    } 
    else{
        log.info("User credentials are valid... logging in");
        AUTHORITIES.add(new SimpleGrantedAuthority("USER"));
        return new UsernamePasswordAuthenticationToken(authentication.getPrincipal(),          (String) authentication.getCredentials(), AUTHORITIES);

    } 


}

Any more suggestions would be great.

Answer 1

A typical approach is to store all necessary information about the logged in user in its Authentication.

For example, standard AuthenticationProviders such as DaoAuthenticationProvider store an implementation of UserDetails as a principal when constructing Authentication object after successful authentication, and application developer can provide its own subclass of UserDetails that includes necessary information. You can implement it in the same way.