Announcement Announcement Module
No announcement yet.
Authentication in Active Directory with unknown user name: wrong logging? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication in Active Directory with unknown user name: wrong logging?


    we are using Spring Security 3.1.3 (but the latest version in github master does not contain any different code about this topic) for authentication in a (Windows) Active Directory (AD) setting. We want to authenticate a user in the AD and take care about roles and authorization with ACLs in the application itself (using Spring as well).
    Whenever a user wants to log in and thus authenticate himself, we call the d.ActiveDirectoryLdapAuthenticationProvider authenticate(Authentication authentication) method, which internally calls the doAuthentication(UsernamePasswordAuthenticationTok en auth) method.
    If the credentials are correct, everything's fine. But as we tried to log in with an unknown user name (and random password), the doAuthentiation method did not only throw a BadCredentialsException, as expected, but additionally wrote down errors including stack traces into the log file. As it can be seen in the code (see github), the exception is thrown and additionally logging is done:
    try {
    return searchForUser(ctx, username);
    } catch (NamingException e) {
    logger.error("Failed to locate directory entry for authenticated user: " + username, e);
    throw badCredentials(e);
    } finally {
    There are some things that bug me about this:
    First, the error message might cause wrong conclusions, since the user is most probably _not_ authenticated, but simply unknown or provided bad credentials. Second, I'd very much prefer to either have some logging output or get an exception, not both at the same time.

    Thus, I'd like to know:
    1. Is there a way to suppress this very logging output, since we already deal with the exception thrown internally? We are using logback for logging porpuses.
    2. Would you agree that the error message is at least misleading and the behavior should be somehow different?

    Thanks in advance,