Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Moved credential expiry checking after password check. If the wrong password is presented, BadCredentialsException will now be thrown even if the password has expired.

Luke Taylor 20 years ago
parent
423dbc9f14
commit
c29a5731be
2 changed files with 20 additions and 10 deletions
Unified View Show Diff Stats
  1. 10 10
      core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
  2. 10 0
      core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java

+ 10 - 10
core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
View File 

@@ -264,16 +264,6 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
 
             throw new LockedException("User account is locked");
 
             throw new LockedException("User account is locked");
 
         }
 
         }
 
 
 
-        if (!user.isCredentialsNonExpired()) {
 
-            if (this.context != null) {
 
-                context.publishEvent(new AuthenticationFailureCredentialsExpiredEvent(
 
-                        authentication, user));
 
-            }
 
-
 
-            throw new CredentialsExpiredException(
 
-                "User credentials have expired");
 
-        }
 
-
 
         if (!isPasswordCorrect(authentication, user)) {
 
         if (!isPasswordCorrect(authentication, user)) {
 
             // Password incorrect, so ensure we're using most current password
 
             // Password incorrect, so ensure we're using most current password
 
             if (cacheWasUsed) {
 
             if (cacheWasUsed) {
 
@@ -291,6 +281,16 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
 
             }
 
             }
 
         }
 
         }
 
 
 
+        if (!user.isCredentialsNonExpired()) {
 
+            if (this.context != null) {
 
+                context.publishEvent(new AuthenticationFailureCredentialsExpiredEvent(
 
+                        authentication, user));
 
+            }
 
+
 
+            throw new CredentialsExpiredException(
 
+                "User credentials have expired");
 
+        }        
+
 
         if (!cacheWasUsed) {
 
         if (!cacheWasUsed) {
 
             // Put into cache
 
             // Put into cache
 
             this.userCache.putUserInCache(user);
 
             this.userCache.putUserInCache(user);

+ 10 - 0
core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
View File 

@@ -154,6 +154,16 @@ public class DaoAuthenticationProviderTests extends TestCase {
 
         } catch (CredentialsExpiredException expected) {
 
         } catch (CredentialsExpiredException expected) {
 
             assertTrue(true);
 
             assertTrue(true);
 
         }
 
         }
 
+
 
+        // Check that wrong password causes BadCredentialsException, rather than CredentialsExpiredException
 
+        token = new UsernamePasswordAuthenticationToken("peter", "wrong_password");
 
+
 
+        try {
 
+            provider.authenticate(token);
 
+            fail("Should have thrown BadCredentialsException");
 
+        } catch (BadCredentialsException expected) {
 
+            assertTrue(true);
 
+        }
 
     }
 
     }
 
 
 
     public void testAuthenticateFailsIfUserDisabled() {
 
     public void testAuthenticateFailsIfUserDisabled() {