SEC-1938: Allow access to original AD error code for ActiveDirectoryLdapAuthenticationProvider #2164

Closed
spring-issuemaster opened this Issue Mar 9, 2012 · 6 comments

2 participants

@spring-issuemaster

Le Canh Son (Migrated from SEC-1938) said:

Updated Description

In order to allow users to handle other AD specific error codes we should expose this information to them.

h1. Original Description
I have to raise that this is issue as a bug because ActiveDirectoryLdapAuthenticationProvider is a final class which make me can not extend to write my own version to pass through the problem.

In more details, in the 'bindAsUser' function, if a user log in with an account with PASSWORD_NEEDS_RESET status (very common situation), they will receive a misleading exception ("BadCredentialsException"). Having a close look at the handleBindException,Spring Security only tries to translate some of the exception messages to real exceptions. In other cases, it reports a normal BadCredentialsException without any message codes. Therefore, it would be great if on the next release, someone can change ActiveDirectoryLdapAuthenticationProvider to a normal public class or just add new exception type to catch PASSWORD_NEEDS_RESET.

@spring-issuemaster

Rick Jensen said:

I have run into issues with not being able to extend this class as well. Making it non-final would make things much more flexible, which is a framework goal in general.

@spring-issuemaster

Rob Winch said:

I have modified this to an improvement and updated the description accordingly since it does not document that PASSWORD_NEEDS_RESET will be translated into anything specific and there is no equivalent Spring Security exception to translate this into (nor would we want to add a Spring Security Exception for every AD error since this would be overly extensive).

@spring-issuemaster

Rob Winch said:

Thank you for your submission. A fix has been pushed to master.

@spring-issuemaster

Le Canh Son said:

I have checked 3.1.2 and it seems to be nothing have changed yet ?

@spring-issuemaster

Rob Winch said:

It throws a BadCredentialsException with a cause of ActiveDirectoryAuthenticationException which has the hex code in it. There is no appropriate "standard exception" to translate all of the AD error codes to and it does not make sense to add generic exceptions for every AD status code. It is wrapped in a BadCredentialsException to remain passive and since the ActiveDirectoryAuthenticationException reveals too much information in it to be visible to users. See https://fisheye.springsource.org/changelog/spring-security?cs=37aed0660dc9487bdf067eb3d0f0ebd872af7bbb

@spring-issuemaster

Le Canh Son said:

Oh, thanks. My mistake.

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment