Wesley Hall wrote:
Hello,
I hope everyone is well.
I wanted to query the ordering of the exceptions thrown by the DaoAuthenticationProvider class. It seems that the authenticate method will first check that the user (with the specified username) can be loaded, next it will check the status of this user, such as whether the account is disabled, locked etc. Then it will check the password.
I would propose that maybe the disabled/locked checks should come AFTER the password check. I am currently able to determine the status of an account without knowing the password and I would rather that the system only informs a user that there account is disabled/locked if they provided the correct credentials. Need to know basis....
I was going to submit a patch for this but I am getting some compile errors with the latest CVS head. It seems net.sf.acegisecurity.util.MockFilterChain is missing.
Ben, Colin et al... any objections to such a change? Would you like me to issue the patch?
Thanks chaps.
Hi Wesley
The reason the locked checks occur BEFORE the password comparison is because the main purpose in locking an account is to stop brute force password attacks. If say 5 invalid passwords are received, an ApplicationListener can set that user's account to locked. Then the sixth password attempt will be responded to with LockedException instead of BadCredentialsException. The pairing of disabled checking alongside the locked checking was done because initially we only recognised disabled accounts (not locked accounts). Locking was added to make the exception reporting more granular.
Cheers Ben
------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
