Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-985: can't override message for UsernameNotFoundException when using FilterBasedLDAPUserSearch #1237

spring-issuemaster opened this Issue Sep 23, 2008 · 2 comments


None yet
1 participant

Srinivasan Raguraman(Migrated from SEC-985) said:

When I use Spring security with LDAP, I could not override the message raised by UsernameNotFoundException.

I get the message in the UI as: "User mike not found in directory. ". I don’t want that to appear in the UI for security reasons. I would be happy to make it as “Bad Credentials” so the user doesn’t get a clue that this id doesn’t exist.

I started with trying to override the correct message property, with a entry in my applications property file. However since FilterBasedLDAPUserSearch doesn’t use a message bundle when creating this exception, I can’t override it.

throw new UsernameNotFoundException("User " + username + " not found in directory.", username);

If you guys are busy, I could update the ticket with patch.


Luke Taylor said:

It was previously possible to specify that UsernameNotFoundExceptions should be hidden when the LdapAuthenticationProvider base class was AbstractUserDetailsAuthenticationProvider. This functionality should also be introduced in the new class.

Luke Taylor said:

I’ve added a hideUsernameNotFoundException property to the class and enabled it by default.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment