BadCredentialsException expected but AccountExpiredException received
I am using Spring Security to support authentication and authorization in my application. I have configured several aspects of the security context, but I don't think it plays a role in my question / problem.
I am currently using Spring 3.1.2.RELEASE and Spring Security 3.1.3.RELEASE , but I am going to update to the latest versions.
I think there is a bug with the inner class AbstractUserDetailsAuthenticationProvider$DefaultPreAuthenticationChecks()
I just found described below:
If I try to log in with a user and a bad (incorrect) password, but that user is in my user repository and they are either locked out, disabled, or the account expires, then Spring Security responds LockedException
, DisabledException
or AccountExpiredException
.
However, from this answer, I have just determined that the user exists in the repository, and although I just guessed the password and still don't know if it is correct or not! Rather, Spring Security should respond with help first BadCredentialsException
, and only if credentials are authenticated, respond with blocked, disabled, or outdated account exceptions.
Has anyone else seen / reported this? I searched but didn't see anything!
Thanks Rob
Edit
I just upgraded to Spring 3.2.1.RELEASE and Spring Security 3.2.0.M1 and this behavior is still the same.
source to share
This will only be a problem if the exception message turned into an HTTP response. After analyzing the code, you will see that this is not the case if you use the default namespace configuration ( <security:form-login>
), because all attackers receive an HTTP redirect to the login page as a response, no matter what type AuthenticationException
was thrown on the server.
Reading the code reveals, however, what can be configured AuthenticationFailureHandler
to display this information.
Snippet from SimpleUrlAuthenticationFailureHandler.onAuthenticationFailure()
:
if (defaultFailureUrl == null) {
logger.debug("No failure URL set, sending 401 Unauthorized error");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
"Authentication Failed: " + exception.getMessage());
}
If you had this problem in mind, I think you are correct, because sending the exception message is definitely more than the client side should see. Although the developer should put some effort into achieving this unsafe behavior, which sets the value defaultFailureUrl
to null. If I am not mistaken, this is not even possible by simply using the namespace configuration (default if not explicitly set).
source to share