SEC-2367: ProviderManager rethrows InternalAuthenticationServiceExceptions

core/src/main/java/org/springframework/security/authentication/ProviderManager.java

@@ -163,6 +163,9 @@ public class ProviderManager implements AuthenticationManager, MessageSourceAwar
                 prepareException(e, authentication);
                 // SEC-546: Avoid polling additional providers if auth failure is due to invalid account status
                 throw e;
+            } catch (InternalAuthenticationServiceException e) {
+                prepareException(e, authentication);
+                throw e;
             } catch (AuthenticationException e) {
                 lastException = e;
             }

core/src/test/java/org/springframework/security/authentication/ProviderManagerTests.java

@@ -287,6 +287,20 @@ public class ProviderManagerTests {
         verify(publisher).publishAuthenticationFailure(expected, authReq);
     }
 
+    // SEC-2367
+    @Test
+    public void providerThrowsInternalAuthenticationServiceException() {
+        InternalAuthenticationServiceException expected = new InternalAuthenticationServiceException("Expected");
+        ProviderManager mgr = new ProviderManager(
+                Arrays.asList(createProviderWhichThrows(expected), createProviderWhichThrows(new BadCredentialsException("Oops"))), null);
+        final Authentication authReq = mock(Authentication.class);
+
+        try {
+            mgr.authenticate(authReq);
+            fail("Expected Exception");
+        } catch(InternalAuthenticationServiceException success) {}
+    }
+
     private AuthenticationProvider createProviderWhichThrows(final AuthenticationException e) {
         AuthenticationProvider provider = mock(AuthenticationProvider.class);
         when(provider.supports(any(Class.class))).thenReturn(true);