Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
github
/
spring-security
spogulis no https://github.com/spring-projects/spring-security
2
0
Atdalīts 0
Faili Problēmas 0 Vikivietne
Pārlūkot izejas kodu

Moved credential expiry checking after password check. If the wrong password is presented, BadCredentialsException will now be thrown even if the password has expired.

Luke Taylor 20 gadi atpakaļ
vecāks
423dbc9f14
revīzija
c29a5731be
2 mainītis faili ar 20 papildinājumiem un 10 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 10 10
      core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
  2. 10 0
      core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java

+ 10 - 10
core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
Parādīt failu 

@@ -264,16 +264,6 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
 
             throw new LockedException("User account is locked");
 
         }
 
 
-        if (!user.isCredentialsNonExpired()) {
 
-            if (this.context != null) {
 
-                context.publishEvent(new AuthenticationFailureCredentialsExpiredEvent(
 
-                        authentication, user));
 
-            }
 
-
 
-            throw new CredentialsExpiredException(
 
-                "User credentials have expired");
 
-        }
 
-
 
         if (!isPasswordCorrect(authentication, user)) {
 
             // Password incorrect, so ensure we're using most current password
 
             if (cacheWasUsed) {
 
@@ -291,6 +281,16 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
 
             }
 
         }
 
 
+        if (!user.isCredentialsNonExpired()) {
 
+            if (this.context != null) {
 
+                context.publishEvent(new AuthenticationFailureCredentialsExpiredEvent(
 
+                        authentication, user));
 
+            }
 
+
 
+            throw new CredentialsExpiredException(
 
+                "User credentials have expired");
 
+        }        
+
 
         if (!cacheWasUsed) {
 
             // Put into cache
 
             this.userCache.putUserInCache(user);

+ 10 - 0
core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
Parādīt failu 

@@ -154,6 +154,16 @@ public class DaoAuthenticationProviderTests extends TestCase {
 
         } catch (CredentialsExpiredException expected) {
 
             assertTrue(true);
 
         }
 
+
 
+        // Check that wrong password causes BadCredentialsException, rather than CredentialsExpiredException
 
+        token = new UsernamePasswordAuthenticationToken("peter", "wrong_password");
 
+
 
+        try {
 
+            provider.authenticate(token);
 
+            fail("Should have thrown BadCredentialsException");
 
+        } catch (BadCredentialsException expected) {
 
+            assertTrue(true);
 
+        }
 
     }
 
 
     public void testAuthenticateFailsIfUserDisabled() {