Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1938: Allow access to original AD error code for ActiveDirectoryLdapAuthenticationProvider #2164

spring-issuemaster opened this Issue Mar 9, 2012 · 6 comments


None yet
2 participants

Le Canh Son (Migrated from SEC-1938) said:

Updated Description

In order to allow users to handle other AD specific error codes we should expose this information to them.

h1. Original Description
I have to raise that this is issue as a bug because ActiveDirectoryLdapAuthenticationProvider is a final class which make me can not extend to write my own version to pass through the problem.

In more details, in the 'bindAsUser' function, if a user log in with an account with PASSWORD_NEEDS_RESET status (very common situation), they will receive a misleading exception ("BadCredentialsException"). Having a close look at the handleBindException,Spring Security only tries to translate some of the exception messages to real exceptions. In other cases, it reports a normal BadCredentialsException without any message codes. Therefore, it would be great if on the next release, someone can change ActiveDirectoryLdapAuthenticationProvider to a normal public class or just add new exception type to catch PASSWORD_NEEDS_RESET.

Rick Jensen said:

I have run into issues with not being able to extend this class as well. Making it non-final would make things much more flexible, which is a framework goal in general.

Rob Winch said:

I have modified this to an improvement and updated the description accordingly since it does not document that PASSWORD_NEEDS_RESET will be translated into anything specific and there is no equivalent Spring Security exception to translate this into (nor would we want to add a Spring Security Exception for every AD error since this would be overly extensive).

Rob Winch said:

Thank you for your submission. A fix has been pushed to master.

Le Canh Son said:

I have checked 3.1.2 and it seems to be nothing have changed yet ?

Rob Winch said:

It throws a BadCredentialsException with a cause of ActiveDirectoryAuthenticationException which has the hex code in it. There is no appropriate "standard exception" to translate all of the AD error codes to and it does not make sense to add generic exceptions for every AD status code. It is wrapped in a BadCredentialsException to remain passive and since the ActiveDirectoryAuthenticationException reveals too much information in it to be visible to users. See https://fisheye.springsource.org/changelog/spring-security?cs=37aed0660dc9487bdf067eb3d0f0ebd872af7bbb

Le Canh Son said:

Oh, thanks. My mistake.

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment