Mar 13th, 2006, 10:31 AM
"Bad Credential" error instead of "User is Disabled"
I have a usual Acegi security setup, where JdbcDaoImpl provides access to a user table - all works fine except for the glitch where a valid username/password and enabled=false produces a Bad Credentials error, instead of User is disabled.
If I set a disabled user via memory dao, all is fine - correct exception is shown (User is Disabled). However, jdbc dao does not work. If I set the enabled flag to true - user is logged in OK via jdbc dao. but enabled=false - can't login due to Bad Credentials error...
So if it is working with enabled = true, why does it not throw "User is disabled" when enabled = false? Has anyone encountered this behavior before?
Mar 13th, 2006, 10:57 AM
I just looked through DaoAuthenticationProvider source code - there are some additional security checks which imploy password encoder and salt - can this be a problem?
Although the passwords are encoded with the same salt and encoder as the one injected into authentication provider...
Mar 13th, 2006, 11:17 AM
Talking to myself here...
If anyone is interested - the issue is caused by a chain of authentication providers. It seems that order of providers determines the error in the end - i had memory and jdbc daos, if jdbc was first - the bad credentials was shown, if last - user is disabled...
Is this behavior specified somehow?!
Apr 14th, 2006, 04:34 AM
JavaDocs for ProviderManager explain the chaining process.