Domovská stránka Prehľadávať Pomoc
Registrovať Prihlásiť sa
github
/
spring-security
zrkadlo https://github.com/spring-projects/spring-security
2
0
Fork 0
Súbory Issues 0 Wiki
Prechádzať zdrojové kódy

Moved credential expiry checking after password check. If the wrong password is presented, BadCredentialsException will now be thrown even if the password has expired.

Luke Taylor 20 rokov pred
rodič
423dbc9f14
commit
c29a5731be
2 zmenil súbory, kde vykonal 20 pridanie a 10 odobranie
Rozdelené zobrazenie Ukázať štatistiku rozdielnych dát
  1. 10 10
      core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
  2. 10 0
      core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java

+ 10 - 10
core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
Zobraziť súbor 

@@ -264,16 +264,6 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
 
             throw new LockedException("User account is locked");
 
         }
 
 
-        if (!user.isCredentialsNonExpired()) {
 
-            if (this.context != null) {
 
-                context.publishEvent(new AuthenticationFailureCredentialsExpiredEvent(
 
-                        authentication, user));
 
-            }
 
-
 
-            throw new CredentialsExpiredException(
 
-                "User credentials have expired");
 
-        }
 
-
 
         if (!isPasswordCorrect(authentication, user)) {
 
             // Password incorrect, so ensure we're using most current password
 
             if (cacheWasUsed) {
 
@@ -291,6 +281,16 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
 
             }
 
         }
 
 
+        if (!user.isCredentialsNonExpired()) {
 
+            if (this.context != null) {
 
+                context.publishEvent(new AuthenticationFailureCredentialsExpiredEvent(
 
+                        authentication, user));
 
+            }
 
+
 
+            throw new CredentialsExpiredException(
 
+                "User credentials have expired");
 
+        }        
+
 
         if (!cacheWasUsed) {
 
             // Put into cache
 
             this.userCache.putUserInCache(user);

+ 10 - 0
core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
Zobraziť súbor 

@@ -154,6 +154,16 @@ public class DaoAuthenticationProviderTests extends TestCase {
 
         } catch (CredentialsExpiredException expected) {
 
             assertTrue(true);
 
         }
 
+
 
+        // Check that wrong password causes BadCredentialsException, rather than CredentialsExpiredException
 
+        token = new UsernamePasswordAuthenticationToken("peter", "wrong_password");
 
+
 
+        try {
 
+            provider.authenticate(token);
 
+            fail("Should have thrown BadCredentialsException");
 
+        } catch (BadCredentialsException expected) {
 
+            assertTrue(true);
 
+        }
 
     }
 
 
     public void testAuthenticateFailsIfUserDisabled() {