18 rokov pred · 6ea8899134
--- a/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
+++ b/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
@@ -59,9 +59,17 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication
 
				         if (this.saltSource != null) {
			
 
				             salt = this.saltSource.getSalt(userDetails);
			
 
				         }
			
 
				+        
			
 
				+        if (authentication.getCredentials() == null) {
			
 
				+            throw new BadCredentialsException(messages.getMessage(
			
 
				+                    "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"),
			
 
				+                    includeDetailsObject ? userDetails : null);
			
 
				+        }
			
 
				+        
			
 
				+        String presentedPassword = authentication.getCredentials() == null ? "" : authentication.getCredentials().toString();
			
 
				 
			
 
				         if (!passwordEncoder.isPasswordValid(
			
 
				-                userDetails.getPassword(), authentication.getCredentials().toString(), salt)) {
			
 
				+                userDetails.getPassword(), presentedPassword, salt)) {
			
 
				             throw new BadCredentialsException(messages.getMessage(
			
 
				                     "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"),
			
 
				                     includeDetailsObject ? userDetails : null);
			
--- a/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
+++ b/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
@@ -78,6 +78,21 @@ public class DaoAuthenticationProviderTests extends TestCase {
 
				         }
			
 
				     }
			
 
				 
			
 
				+    public void testReceivedBadCredentialsWhenCredentialsNotProvided() {
			
 
				+    	// Test related to SEC-434
			
 
				+        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
			
 
				+        provider.setUserDetailsService(new MockAuthenticationDaoUserMarissa());
			
 
				+        provider.setUserCache(new MockUserCache());
			
 
				+
			
 
				+    	UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken("marissa", null);
			
 
				+    	try {
			
 
				+    		provider.authenticate(authenticationToken); // null pointer exception
			
 
				+    		fail("Expected BadCredenialsException");
			
 
				+    	} catch (BadCredentialsException expected) {
			
 
				+    		assertTrue(true);
			
 
				+    	}
			
 
				+    }
			
 
				+    
			
 
				     public void testAuthenticateFailsIfAccountExpired() {
			
 
				         UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("peter", "opal");