Spring Security
  1. Spring Security
  2. SEC-1938

Allow access to original AD error code for ActiveDirectoryLdapAuthenticationProvider

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.1.2
    • Component/s: LDAP
    • Labels:

      Description

      Updated Description

      In order to allow users to handle other AD specific error codes we should expose this information to them.

      Original Description

      I have to raise that this is issue as a bug because ActiveDirectoryLdapAuthenticationProvider is a final class which make me can not extend to write my own version to pass through the problem.

      In more details, in the 'bindAsUser' function, if a user log in with an account with PASSWORD_NEEDS_RESET status (very common situation), they will receive a misleading exception ("BadCredentialsException"). Having a close look at the handleBindException,Spring Security only tries to translate some of the exception messages to real exceptions. In other cases, it reports a normal BadCredentialsException without any message codes. Therefore, it would be great if on the next release, someone can change ActiveDirectoryLdapAuthenticationProvider to a normal public class or just add new exception type to catch PASSWORD_NEEDS_RESET.

        Activity

        Hide
        Rick Jensen added a comment -

        I have run into issues with not being able to extend this class as well. Making it non-final would make things much more flexible, which is a framework goal in general.

        Show
        Rick Jensen added a comment - I have run into issues with not being able to extend this class as well. Making it non-final would make things much more flexible, which is a framework goal in general.
        Hide
        Rob Winch added a comment -

        I have modified this to an improvement and updated the description accordingly since it does not document that PASSWORD_NEEDS_RESET will be translated into anything specific and there is no equivalent Spring Security exception to translate this into (nor would we want to add a Spring Security Exception for every AD error since this would be overly extensive).

        Show
        Rob Winch added a comment - I have modified this to an improvement and updated the description accordingly since it does not document that PASSWORD_NEEDS_RESET will be translated into anything specific and there is no equivalent Spring Security exception to translate this into (nor would we want to add a Spring Security Exception for every AD error since this would be overly extensive).
        Hide
        Rob Winch added a comment -

        Thank you for your submission. A fix has been pushed to master.

        Show
        Rob Winch added a comment - Thank you for your submission. A fix has been pushed to master.
        Hide
        Le Canh Son added a comment -

        I have checked 3.1.2 and it seems to be nothing have changed yet ?

        Show
        Le Canh Son added a comment - I have checked 3.1.2 and it seems to be nothing have changed yet ?
        Hide
        Rob Winch added a comment -

        It throws a BadCredentialsException with a cause of ActiveDirectoryAuthenticationException which has the hex code in it. There is no appropriate "standard exception" to translate all of the AD error codes to and it does not make sense to add generic exceptions for every AD status code. It is wrapped in a BadCredentialsException to remain passive and since the ActiveDirectoryAuthenticationException reveals too much information in it to be visible to users. See https://fisheye.springsource.org/changelog/spring-security?cs=37aed0660dc9487bdf067eb3d0f0ebd872af7bbb

        Show
        Rob Winch added a comment - It throws a BadCredentialsException with a cause of ActiveDirectoryAuthenticationException which has the hex code in it. There is no appropriate "standard exception" to translate all of the AD error codes to and it does not make sense to add generic exceptions for every AD status code. It is wrapped in a BadCredentialsException to remain passive and since the ActiveDirectoryAuthenticationException reveals too much information in it to be visible to users. See https://fisheye.springsource.org/changelog/spring-security?cs=37aed0660dc9487bdf067eb3d0f0ebd872af7bbb
        Hide
        Le Canh Son added a comment -

        Oh, thanks. My mistake.

        Show
        Le Canh Son added a comment - Oh, thanks. My mistake.

          People

          • Assignee:
            Rob Winch
            Reporter:
            Le Canh Son
          • Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 1d
              1d
              Remaining:
              Remaining Estimate - 1d
              1d
              Logged:
              Time Spent - Not Specified
              Not Specified