Moved credential expiry checking after password check. If the wrong password is presented, BadCredentialsException will now be thrown even if the password has expired.

2005-04-25 23:11:12 +00:00 · 2005-04-25 23:11:12 +00:00 · c29a5731be
parent 423dbc9f14
commit c29a5731be
2 changed files with 20 additions and 10 deletions
--- a/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
+++ b/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
@ -264,16 +264,6 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
            throw new LockedException("User account is locked");
        }

-        if (!user.isCredentialsNonExpired()) {
-            if (this.context != null) {
-                context.publishEvent(new AuthenticationFailureCredentialsExpiredEvent(
-                        authentication, user));
-            }
-
-            throw new CredentialsExpiredException(
-                "User credentials have expired");
-        }
-
        if (!isPasswordCorrect(authentication, user)) {
            // Password incorrect, so ensure we're using most current password
            if (cacheWasUsed) {
@ -291,6 +281,16 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
            }
        }

+        if (!user.isCredentialsNonExpired()) {
+            if (this.context != null) {
+                context.publishEvent(new AuthenticationFailureCredentialsExpiredEvent(
+                        authentication, user));
+            }
+
+            throw new CredentialsExpiredException(
+                "User credentials have expired");
+        }        
+
        if (!cacheWasUsed) {
            // Put into cache
            this.userCache.putUserInCache(user);
--- a/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
+++ b/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
@ -154,6 +154,16 @@ public class DaoAuthenticationProviderTests extends TestCase {
        } catch (CredentialsExpiredException expected) {
            assertTrue(true);
        }
+
+        // Check that wrong password causes BadCredentialsException, rather than CredentialsExpiredException
+        token = new UsernamePasswordAuthenticationToken("peter", "wrong_password");
+
+        try {
+            provider.authenticate(token);
+            fail("Should have thrown BadCredentialsException");
+        } catch (BadCredentialsException expected) {
+            assertTrue(true);
+        }
    }

    public void testAuthenticateFailsIfUserDisabled() {