Acegi 1.0.3: Should UsernamePasswordAuthenticationToken accept null parameters?

[JimR]

The reason I ask is because this results in a NullPointerException in "DaoAuthenticationProvider.additionalAuthenticatio nChecks()" on line 60, when I pass a valid username, and a null password.

Version info: Acegi 1.0.3, Spring 2.0, using an InMemoryDaoImpl and a programatic authentication.

The null pointer is caused when the DaoAuthenticationProvider gets the credentials from the authentication object, and then runs a .toString() on it.

Here's a code snippet:

AuthenticationManager authManager = (AuthenticationManager)applicationContext.getBean( "authenticationManager");
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken("validUsername ", null);
authManager.authenticate(authenticationToken); // null pointer exception

If anyone would like more details, or complete test code, let me know.

Jim

[karldmoore]

It would be worth checking JIRA to see if this has already been entered. Although it shouldn't happen it would be good to check it. AuthenticationProcessingFilter actually checks for a null and sets it to empty String.
http://www.acegisecurity.org/multipr...ingFilter.html

[JimR]

I did not find an existing issue so I have created a new one: http://opensource.atlassian.com/proj...browse/SEC-434

Regards,
Jim