Srinivasan Raguraman(Migrated from SEC-985) said:
When I use Spring security with LDAP, I could not override the message raised by UsernameNotFoundException.
I get the message in the UI as: "User mike not found in directory. ". I don’t want that to appear in the UI for security reasons. I would be happy to make it as “Bad Credentials” so the user doesn’t get a clue that this id doesn’t exist.
I started with trying to override the correct message property, with a entry in my applications property file. However since FilterBasedLDAPUserSearch doesn’t use a message bundle when creating this exception, I can’t override it.
throw new UsernameNotFoundException("User " + username + " not found in directory.", username);
If you guys are busy, I could update the ticket with patch.
Luke Taylor said:
It was previously possible to specify that UsernameNotFoundExceptions should be hidden when the LdapAuthenticationProvider base class was AbstractUserDetailsAuthenticationProvider. This functionality should also be introduced in the new class.
I’ve added a hideUsernameNotFoundException property to the class and enabled it by default.