Forcing user to change expired password in spring security

I am building spring mvc and spring security based web based application.

I have implemented Reset Password functionality.System Administrator will reset password of any user .Random generated password will be emailed to user and same will be updated in database.

Now I want whenever user login with random generated password, i want to force user to change its password.

Please have a look to my user TABLE.

userid bigint(20)
username varchar(20)
password varchar(65)
email varchar(50)
firstname varchar(20)
lastname varchar(20)
groupname varchar(50)
enabled tinyint(1)
credentialsNonExpired tinyint(1)

MY Authentication Provider

    <!--
        Configuring Authentication Provider to make use of spring security
        provided Jdbc user management service
    -->
    <authentication-provider user-service-ref="jdbcUserService">
        <!--
            Configuring SHA-1 Password Encoding scheme to secure user credential
        -->
        <password-encoder ref="sha1PasswordEncoder" />
    </authentication-provider>
</authentication-manager>

I have used JDBCUserDetailsService extending JDBCDaoImpl as jdbcUserService.

I want to set credentialNonExpired to false column of my user table when I am resetting password.

I am able to do that.

But when i login, spring security JDBCuserdetailsservice loadUserbyUsername getting only username,password,enabled columns and rest of all fields set to true.

protected List<UserDetails> loadUsersByUsername(String username) {
    return getJdbcTemplate().query(usersByUsernameQuery, new String[] {username}, new RowMapper<UserDetails>() {
        public UserDetails mapRow(ResultSet rs, int rowNum) throws SQLException {
            String username = rs.getString(1);
            String password = rs.getString(2);
            boolean enabled = rs.getBoolean(3);
            return new User(username, password, enabled, true, true, true, AuthorityUtils.NO_AUTHORITIES);
        }

    });
}

But I want actual credentialNonExpired field which is set by reset password, so that spring security will throw CREDENTIALEXPIREDEXCEPTION.

I am achieving that by loading above method, but is there any other way to redirect user to change password page when they login with expired password.

Please tell me how can i do that ?

I'm working on a very similar problem and heading down this path as well... is there a recommendation on how best to handle the change password logic? Seems like trying to replicate all the normal "login" functionality (checking passwords, filling in SecurityContextHolder, returning error codes) could get tricky...

I'm working with JPA and models and I'm updating these directly without going through the entire Spring security cycle. It seemed to me as the fastest way. Of course after changing the password I redirect the user to the login page.

Yeah, I think your way would have been faster :) Here is what I ended up doing - * UsernamePasswordResetAuthentication with username, password, and new password * Login page with new/confirm password fields when appropriate * Login filter that creates the right authentication object, based on the request * Custom AuthenticationProvider (already there for different reasons), extended to 1) authenticate with existing password, 2) update the stored password, and 3) re-authenticate with the new password.

That custom authentication provider is the big slice. But if you already have it there for other reasons ...