/oauth/token endpoint will return a 403, not a 401, when the user's p…

…assword is expired.

[#90713876] https://www.pivotaltracker.com/story/show/90713876

Signed-off-by: Rick Kawala <rkawala@pivotal.io>

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/PasswordExpiredException.java

@@ -18,8 +18,4 @@ public class PasswordExpiredException extends BadCredentialsException {
     public PasswordExpiredException(String msg) {
         super(msg);
     }
-
-    public PasswordExpiredException(String msg, Throwable t) {
-        super(msg, t);
-    }
 }

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/AccountNotVerifiedExceptionTranslator.java → common/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaExceptionTranslator.java

@@ -1,6 +1,5 @@
 package org.cloudfoundry.identity.uaa.authentication;
 
-import org.cloudfoundry.identity.uaa.authentication.AccountNotVerifiedException;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@@ -9,11 +8,11 @@
 
 import java.io.IOException;
 
-public class AccountNotVerifiedExceptionTranslator extends DefaultWebResponseExceptionTranslator{
+public class UaaExceptionTranslator extends DefaultWebResponseExceptionTranslator {
 
     @Override
     public ResponseEntity<OAuth2Exception> translate(Exception e) throws Exception {
-        if (e instanceof AccountNotVerifiedException) {
+        if (e instanceof AccountNotVerifiedException || e instanceof PasswordExpiredException) {
             return handleOAuth2Exception(new ForbiddenException(e.getMessage(), e));
         }
 

uaa/src/main/webapp/WEB-INF/spring-servlet.xml

@@ -165,7 +165,7 @@
         <property name="exceptionTranslator" ref="accountNotVerifiedExceptionTranslator" />
     </bean>
 
-    <bean id="accountNotVerifiedExceptionTranslator" class="org.cloudfoundry.identity.uaa.authentication.AccountNotVerifiedExceptionTranslator"/>
+    <bean id="accountNotVerifiedExceptionTranslator" class="org.cloudfoundry.identity.uaa.authentication.UaaExceptionTranslator"/>
 
     <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
         <constructor-arg>

uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java

@@ -1569,11 +1569,10 @@ public void testGetPasswordGrantTokenExpiredPasswordForOtherZone() throws Except
             .param(OAuth2Utils.RESPONSE_TYPE, "token")
             .param(OAuth2Utils.GRANT_TYPE, "password")
             .param(OAuth2Utils.CLIENT_ID, clientId))
-            .andExpect(status().isUnauthorized())
-            .andExpect(content().string("{\"error\":\"unauthorized\",\"error_description\":\"Your current password has expired. Please reset your password.\"}"));
+            .andExpect(status().isForbidden())
+            .andExpect(content().string("{\"error\":\"access_denied\",\"error_description\":\"Your current password has expired. Please reset your password.\"}"));
     }
 
-
     @Test
     public void testGetPasswordGrantTokenForOtherZone() throws Exception {
         String username = new RandomValueStringGenerator().generate()+"@test.org";