Michael Smith (Migrated from SEC-1866) said:
From what I understand, by default, new users in AD are created with "User must change password at next login". This flag is also set when an administrator changes a user's password.
If a user with this flag tries to log in through Spring Security, the error reported to the user is a BadCredentialsException. The server logs are able to show the actual reason because the provider understands the flag; it just doesn't handle it in the exception conversion routine.
To reduce confusion on the user's part it'd be nice if raiseExceptionForErrorCode() could handle PASSWORD_NEEDS_RESET:
- by throwing a new exception with a new message;
- or, by throwing a CredentialsExpiredException with a new message;
- or, by throwing a CredentialsExpiredException with the same message as if the password had expired - this would be easiest, no internationalization of new strings required, it's pretty close to correct, and it should still result in the right corrective action being taken: the user logging in somewhere else and changing his/her password.
Michael Smith (Migrated from SEC-1866) said:
From what I understand, by default, new users in AD are created with "User must change password at next login". This flag is also set when an administrator changes a user's password.
If a user with this flag tries to log in through Spring Security, the error reported to the user is a BadCredentialsException. The server logs are able to show the actual reason because the provider understands the flag; it just doesn't handle it in the exception conversion routine.
To reduce confusion on the user's part it'd be nice if raiseExceptionForErrorCode() could handle PASSWORD_NEEDS_RESET: