SEC-985: can't override message for UsernameNotFoundException when using FilterBasedLDAPUserSearch #1237

Closed
spring-issuemaster opened this Issue Sep 23, 2008 · 2 comments

1 participant

@spring-issuemaster

Srinivasan Raguraman (Migrated from SEC-985) said:

When I use Spring security with LDAP, I could not override the message raised by UsernameNotFoundException.

I get the message in the UI as: "User mike not found in directory. ". I don’t want that to appear in the UI for security reasons. I would be happy to make it as “Bad Credentials” so the user doesn’t get a clue that this id doesn’t exist.

I started with trying to override the correct message property, with a entry in my applications property file. However since FilterBasedLDAPUserSearch doesn’t use a message bundle when creating this exception, I can’t override it.

like:
throw new UsernameNotFoundException("User " + username + " not found in directory.", username);

If you guys are busy, I could update the ticket with patch.

Thanks

@spring-issuemaster

Luke Taylor said:

It was previously possible to specify that UsernameNotFoundExceptions should be hidden when the LdapAuthenticationProvider base class was AbstractUserDetailsAuthenticationProvider. This functionality should also be introduced in the new class.

@spring-issuemaster

Luke Taylor said:

I’ve added a hideUsernameNotFoundException property to the class and enabled it by default.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment