Spring Security
  1. Spring Security
  2. SEC-985

can't override message for UsernameNotFoundException when using FilterBasedLDAPUserSearch

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.3
    • Fix Version/s: 3.0.0 M1
    • Component/s: LDAP
    • Labels:
      None
    • Environment:
      LDAP with Spring Security

      Description

      When I use Spring security with LDAP, I could not override the message raised by UsernameNotFoundException.

      I get the message in the UI as: "User mike not found in directory. ". I don't want that to appear in the UI for security reasons. I would be happy to make it as "Bad Credentials" so the user doesn't get a clue that this id doesn't exist.

      I started with trying to override the correct message property, with a entry in my applications property file. However since FilterBasedLDAPUserSearch doesn't use a message bundle when creating this exception, I can't override it.

      like:
      throw new UsernameNotFoundException("User " + username + " not found in directory.", username);

      If you guys are busy, I could update the ticket with patch.

      Thanks

        Activity

        Hide
        Luke Taylor added a comment -

        It was previously possible to specify that UsernameNotFoundExceptions should be hidden when the LdapAuthenticationProvider base class was AbstractUserDetailsAuthenticationProvider. This functionality should also be introduced in the new class.

        Show
        Luke Taylor added a comment - It was previously possible to specify that UsernameNotFoundExceptions should be hidden when the LdapAuthenticationProvider base class was AbstractUserDetailsAuthenticationProvider. This functionality should also be introduced in the new class.
        Hide
        Luke Taylor added a comment -

        I've added a hideUsernameNotFoundException property to the class and enabled it by default.

        Show
        Luke Taylor added a comment - I've added a hideUsernameNotFoundException property to the class and enabled it by default.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Srinivasan Raguraman
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: