SEC-1783: Can't tell the difference between no credentials and invalid credentials #2019
Labels
in: core
An issue in spring-security-core
status: declined
A suggestion or change that we don't feel we should currently apply
type: jira
An issue that was migrated from JIRA
Comments
|
Paul Benedict said: BTW, I grant I can subclass DaoAuthenticationProvider and check if UserDetails == null, but I'd rather defer directly to the superclass logic and catch a known exception. |
|
Luke Taylor said: I don't really see a good reason for introducing an additional exception to differentiate between an empty password and an invalid one. They would both normally be regarded as a failure. An event listener would be a more appropriate way of recording authentication failures and gives you access to the Authentication token, so you can take whatever action you determine appropriate based on the entered authentication data. |
spring-projects-issues
added
in: core
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Paul Benedict (Migrated from SEC-1783) said:
I need to record the number of password failures for existing users. DaoAuthenticationProvider#additionalAuthenticationChecks() is where I could do this, except BadCredentialsException is thrown for both (log messages) "no credentials provided" and "password does not match stored value". There's no way to distinguish the two at runtime. There's some refactoring here that could be done. Here are my suggestions:
Of the two choices, I prefer #1
The text was updated successfully, but these errors were encountered: