Create Account, Forgot Password and Change Password
You are completely right. AFAIK there is no "generic" package that implements these flows. I've searched a lot for this kind of code a while ago, and found nothing. I think that @luizcarlosfx is right, that each application has its own needs, therefore it is hard to write something generic that fits all needs.
EDIT: I saw comments like "It's not so difficult to implement". True. But you have to make sure you take care of all cases. For example, what happens if a user tries to create account that is already exists? what happens if a user tries to create account that is already exists but inactive? what about the policy of the password? (too long/too short/how many capital etc) what about sending the email with the activation link to the user? how fo you create this link? how do you encrypt it? what about the controller that will receive the click on the link and activate the account? and more and more...
However, I took it a step forward and tried to code something that will answer most flows - registration, forgot-password, change password etc, and something that will be secured enough so applications will be able to use it without the fear that it will be easily hacked.
I have implemented a JAVA project for this use case. It is open source, based on Spring-Security. A release version is on Maven-Central, so you do not need to compile it, but instead you can fetch it as maven-dependency to your project!
<dependency>
<groupId>com.ohadr</groupId>
<artifactId>authentication-flows</artifactId>
<version>1.5.0-RELEASE</version>
</dependency>
I think it answers your question...
There are explanations for everything (and if something is missing - let me know...)
You can find here an example for a client application's code (i.e. the usage).
This is the main page of the project plus a demo, and another demo is here (but this is an app that after upgrading to version 1.6.1 requires login with email with "nice" domain - nice.com. so you cannot really use it for demo; use the first example). This is a client web-app that uses the auth-flows, with the README with all explanations.
Hope that helps!
Related videos on Youtube
09 : 28
03 : 35
![[2021] Forgot Your Mac Password? Here's How to Reset It (NO DATA LOSS)](https://i.ytimg.com/vi/qYAurhPO0vA/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBh2xw-NIij-984xi_-A-KOE3cQZg)
06 : 57
![HOW TO RESET Administrator PASSWORD and Unlock Computer in Windows 11,10,8.1 Without Programs [2022]](https://i.ytimg.com/vi/id8Ql_1Zo2U/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLA2yHdoUP4xb_drwIHQg5WcbZ4NgQ)
08 : 55
04 : 41
07 : 39
03 : 09
09 : 00
03 : 59
user3619976
Updated on October 16, 2022Comments
-
user3619976 over 1 year
Spring Security is great when the developer wants to secure his web app.
However, what about creating the account? and "forgot password"? most login pages have these links as well as the username and password fields. Spring's default login-page does not have these links... in the good case, it can support "remember me"...
Does Spring supports these flows, of Create Account, Forgot Password and Change Password? If the answer is yes, can you please point me to some documentations?
I've searched this issue but could not find anything.
Thanks!
-
luizcarlosfxI think the answer is no. Because these actions are not generic actions, they differ from one application to another. How does will spring know what fields are required in your registration form? or how you want to recover password? (via email. sms, etc..) -
OhadR@luizcarlosfx: "It's not so difficult to implement" - but you have to make sure you take care of all cases. e.g. what happens if a user tries to create account that is already exists? what happens if a user tries to create account that is already exists but inactive? what about the policy of the password? (too long/too short/how many capital etc) what about sending the email with the activation link to the user? what about the controller that will receive the click on the link and activate the account? and more and more... there is a lot of code to write, my friend. -
user3619976I understand; but i thought maybe there is something generic that is customizable and extensible (like all other Spring projects...)
-
luizcarlosfxI cared about everything and I still saying that it's not so difficult. Spring offers a lot of cool features that makes it easy. First of all use hibernate validator to validate your user(check password size, username size and whatever you want), to check if a username exist I do ajax requests that check on database if the username is already used or if the user is disabled. Validate the email is very similar to recover password request. I just store a request code in the database in my user_request table and I have dedicated controllers for check the validity of these codes.
-
-
user3619976 almost 10 yearslooks good! cool! however, all form (and beans.xml) are in the client side, so the client still has to add stuff...
-
OhadR almost 10 yearsthanks :-) of course, the UI forms are something that each app wants it differently. so there is really no point to try and generalize the form. however, I have documented what fields should appear in these forms.
-
OhadR over 9 years@DirkConradCoetsee thanks! did you try it? do you use it in your app? i'm curious...
-
D2TheC over 9 yearsHi, I am busy trying it. Struggling a bit to implement it. Can I get in contact with you regarding some details? It contains literally everything I need.
-
OhadR about 9 yearssure. you can post here in SO your question(s), and tag them with
authentication-flows
