Hi, I agree it shouldn't be a hasLength check. Probably changing it to an Assert.notNull would do the trick as a null password should indicate a coding error.
I've created a couple of Jira issues for these points: http://opensource.atlassian.com/projects/spring/browse/SEC-201 http://opensource.atlassian.com/projects/spring/browse/SEC-202 Thanks for the report, Luke. Teppo Jalava wrote: > Hello > > While migrating our system to use the new LdapAuthenticationProvider, > I noticed that when user tries to login with an empty password, the > provider throws IllegalArgumentException, due to the > Assert.hasLength-check. Is this the right kind of behaviour for the > provider? I mean, I would rather see a BadCredentialsException or some > other AuthenticationException instead so the > AuthenticationProcessingFilter would redirect the user to the > authentication failure page. > > Or is there some other mechanism besides subclassing the provider to > achieve this that I've missed? > > Thank you in advance, > Teppo > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523C http://www.monkeymachine.ltd.uk ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
