Phil Krasko (Migrated from SEC-1949) said:
If a BadCredentialsException is thrown, the provider manager should break its loop and prevent calling further authentication providers.
Per the javadocs:
BadCredentialsException - Thrown if an authentication request is rejected because the credentials are invalid.
There is no point to call additional providers if the credentials are invalid.
This is somewhat related to SEC-546.
Rob Winch said:
Can I ask how this is causing you a problem. This is intentional behavior so that multiple AuthenticationProviders can be used. For example, the user may not have valid credentials in LDAP (tried first) and do have valid credentials in a database (tried second).
Phil Krasko said:
If a bad credentials exception is thrown it means the user was found, is neither locked or disabled, but the provided password is incorrect. Why would you go to another authentication provider? I would expect to try another provider if a UsernameNotFoundException or AuthenticationServiceException was thrown.
In my scenario I know which provider the user should be authenticating with.
In each provider I immediately check to see the the user type is supported by the provider. If not, I throw a AuthenticationServiceException to short circuit and skip to the next provider.
I don't want to continue down the chain of providers when a bad credentials exception is thrown because the provider I selected is the only one the user can authenticate with.
Thank you for explaining this in more detail. Unfortunately, I do not think we can make the proposed changes. I am closing this ticket as Won't Fix for the following reasons:
This means you will need to extend Spring Security to meet this requirement. If you need the ability to select a specific provider and it cannot be determined by the supports method, you have at least a few options:
If you need further guidance, I'd be happy to assist on the forums.