diff --git a/core/src/main/java/org/springframework/security/providers/preauth/PreAuthenticatedAuthenticationProvider.java b/core/src/main/java/org/springframework/security/providers/preauth/PreAuthenticatedAuthenticationProvider.java index 3b180487d1..5028882db6 100644 --- a/core/src/main/java/org/springframework/security/providers/preauth/PreAuthenticatedAuthenticationProvider.java +++ b/core/src/main/java/org/springframework/security/providers/preauth/PreAuthenticatedAuthenticationProvider.java @@ -3,6 +3,7 @@ package org.springframework.security.providers.preauth; import org.springframework.security.providers.AuthenticationProvider; import org.springframework.security.Authentication; import org.springframework.security.AuthenticationException; +import org.springframework.security.BadCredentialsException; import org.springframework.security.userdetails.UserDetails; import org.springframework.security.userdetails.UserDetailsChecker; import org.springframework.security.userdetails.checker.AccountStatusUserDetailsChecker; @@ -32,7 +33,8 @@ public class PreAuthenticatedAuthenticationProvider implements AuthenticationPro private static final Log logger = LogFactory.getLog(PreAuthenticatedAuthenticationProvider.class); private AuthenticationUserDetailsService preAuthenticatedUserDetailsService = null; - private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker(); + private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker(); + private boolean throwExceptionWhenTokenRejected = false; private int order = -1; // default: same as non-ordered @@ -40,7 +42,7 @@ public class PreAuthenticatedAuthenticationProvider implements AuthenticationPro * Check whether all required properties have been set. */ public void afterPropertiesSet() { - Assert.notNull(preAuthenticatedUserDetailsService, "A AuthenticationUserDetailsService must be set"); + Assert.notNull(preAuthenticatedUserDetailsService, "An AuthenticationUserDetailsService must be set"); } /** @@ -58,11 +60,24 @@ public class PreAuthenticatedAuthenticationProvider implements AuthenticationPro logger.debug("PreAuthenticated authentication request: " + authentication); } - if(authentication.getPrincipal() == null) { + if (authentication.getPrincipal() == null) { logger.debug("No pre-authenticated principal found in request."); + + if (throwExceptionWhenTokenRejected) { + throw new BadCredentialsException("No pre-authenticated principal found in request."); + } return null; } + if (authentication.getCredentials() == null) { + logger.debug("No pre-authenticated credentials found in request."); + + if (throwExceptionWhenTokenRejected) { + throw new BadCredentialsException("No pre-authenticated credentials found in request."); + } + return null; + } + UserDetails ud = preAuthenticatedUserDetailsService.loadUserDetails(authentication); userDetailsChecker.check(ud); @@ -98,4 +113,13 @@ public class PreAuthenticatedAuthenticationProvider implements AuthenticationPro public void setOrder(int i) { order = i; } + + /** + * If true, causes the provider to throw a BadCredentialsException if the presented authentication + * request is invalid (contains a null principal or credentials). Otherwise it will just return + * null. + */ + public void setThrowExceptionWhenTokenRejected(boolean throwExceptionWhenTokenRejected) { + this.throwExceptionWhenTokenRejected = throwExceptionWhenTokenRejected; + } }