首页 发现 帮助
注册 登录
github
/
spring-security
镜像自地址 https://github.com/spring-projects/spring-security
2
0
派生 0
文件 工单管理 0 Wiki
浏览代码

Ben Alex 18 年之前
父节点
07b2a5c673
当前提交
6ea8899134
共有 2 个文件被更改,包括 24 次插入1 次删除
合并视图 显示文件统计
  1. 9 1
      core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
  2. 15 0
      core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java

+ 9 - 1
core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
查看文件 

@@ -59,9 +59,17 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication
 
         if (this.saltSource != null) {
 
         if (this.saltSource != null) {
 
             salt = this.saltSource.getSalt(userDetails);
 
             salt = this.saltSource.getSalt(userDetails);
 
         }
 
         }
 
+        
+        if (authentication.getCredentials() == null) {
 
+            throw new BadCredentialsException(messages.getMessage(
 
+                    "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"),
 
+                    includeDetailsObject ? userDetails : null);
 
+        }
 
+        
+        String presentedPassword = authentication.getCredentials() == null ? "" : authentication.getCredentials().toString();
 
 
 
         if (!passwordEncoder.isPasswordValid(
 
         if (!passwordEncoder.isPasswordValid(
 
-                userDetails.getPassword(), authentication.getCredentials().toString(), salt)) {
 
+                userDetails.getPassword(), presentedPassword, salt)) {
 
             throw new BadCredentialsException(messages.getMessage(
 
             throw new BadCredentialsException(messages.getMessage(
 
                     "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"),
 
                     "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"),
 
                     includeDetailsObject ? userDetails : null);
 
                     includeDetailsObject ? userDetails : null);

+ 15 - 0
core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
查看文件 

@@ -78,6 +78,21 @@ public class DaoAuthenticationProviderTests extends TestCase {
 
         }
 
         }
 
     }
 
     }
 
 
 
+    public void testReceivedBadCredentialsWhenCredentialsNotProvided() {
 
+    	// Test related to SEC-434
 
+        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
 
+        provider.setUserDetailsService(new MockAuthenticationDaoUserMarissa());
 
+        provider.setUserCache(new MockUserCache());
 
+
 
+    	UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken("marissa", null);
 
+    	try {
 
+    		provider.authenticate(authenticationToken); // null pointer exception
 
+    		fail("Expected BadCredenialsException");
 
+    	} catch (BadCredentialsException expected) {
 
+    		assertTrue(true);
 
+    	}
 
+    }
 
+    
     public void testAuthenticateFailsIfAccountExpired() {
 
     public void testAuthenticateFailsIfAccountExpired() {
 
         UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("peter", "opal");
 
         UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("peter", "opal");