SEC-1783: Can't tell the difference between no credentials and invalid credentials

[spring-projects-issues]

Paul Benedict (Migrated from SEC-1783) said:

I need to record the number of password failures for existing users. DaoAuthenticationProvider#additionalAuthenticationChecks() is where I could do this, except BadCredentialsException is thrown for both (log messages) "no credentials provided" and "password does not match stored value". There's no way to distinguish the two at runtime. There's some refactoring here that could be done. Here are my suggestions:

1. Subclass BadCredentialsException with new NoCredentialsException and InvalidCredentialsException
2. Move the call to PasswordEncoder#isPasswordValid() to a new isPasswordValid() method whose default is to call the password encoder.

Of the two choices, I prefer #1

[spring-projects-issues]

Paul Benedict said:

BTW, I grant I can subclass DaoAuthenticationProvider and check if UserDetails == null, but I'd rather defer directly to the superclass logic and catch a known exception.

[spring-projects-issues]

Luke Taylor said:

I don't really see a good reason for introducing an additional exception to differentiate between an empty password and an invalid one. They would both normally be regarded as a failure.

An event listener would be a more appropriate way of recording authentication failures and gives you access to the Authentication token, so you can take whatever action you determine appropriate based on the entered authentication data.