Oh, I did not know that the ExcessiveAttemptsException is part of Shiro
and extends AuthenticationException. Did not read the thread history, sorry.
On 06/26/2015 05:00 PM, kpenrose wrote:
> You can see from the reply above from Les Hazlewood that:
>
> /Anyway, that exception exists but it is not thrown/managed at any
> point by Shiro. It is there for your use as a convenience so you
> don't have to create your own Exception class if you don't want to.
> You would need to instantiate and throw it in your Realm's
> doGetAuthenticationInfo method when appropriate. The reason Shiro
> can't do this automatically is that this type of logic (lock account
> after a certain number of times in a certain number of minutes) is
> usually entirely dependent upon your application's User data model.
> /
>
> So here is my code for the overloaded function:
>
> @Override
> protected AuthenticationInfo doGetAuthenticationInfo(
> AuthenticationToken token) throws UnknownAccountException,
> ExcessiveAttemptsException, IncorrectCredentialsException {
>
> // null usernames are invalid
> if (token == null) {
> throw new AuthenticationException(
> "PrincipalCollection method argument cannot be null.");
> }
>
> UsernamePasswordToken usernamePasswordToken =
> (UsernamePasswordToken) token;
>
> InventoryReportUser user =
> service.getUserByUsername(usernamePasswordToken
> .getUsername());
>
> if (user == null) {
> throw new UnknownAccountException("Could not find user");
> }
> if (user.isResetPasswordReqd()) {
> throw new ExcessiveAttemptsException("Password change required",
> new Throwable("Password change required")); //"Password change required");
> }
>
> if
> (getCredentialsMatcher().doCredentialsMatch(usernamePasswordToken,
> user.getAsAuthenticationInfo())) {
> return user.getAsAuthenticationInfo();
> }
>
> throw new IncorrectCredentialsException("Failed to authenticate");
> }
>
> So you can see that I check for user.isResetPasswordReqd() which throws the
> ExcessiveAttemptsException. However, my controller only receives the
> AuthenticationException. Thing is, I can enter an invalid user id and
> although stepping through the execution shows me that the
> UnknownAccountException is thrown, I still receive the
> AuthenticationException type in the controller.
>
>
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/ExcessiveAttemptsException-How-to-configure-tp4534742p7580592.html
> Sent from the Shiro User mailing list archive at Nabble.com.
