Announcement Announcement Module
No announcement yet.
"Bad Credential" error instead of "User is Disabled" Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • "Bad Credential" error instead of "User is Disabled"

    Hello friends,

    I have a usual Acegi security setup, where JdbcDaoImpl provides access to a user table - all works fine except for the glitch where a valid username/password and enabled=false produces a Bad Credentials error, instead of User is disabled.

    If I set a disabled user via memory dao, all is fine - correct exception is shown (User is Disabled). However, jdbc dao does not work. If I set the enabled flag to true - user is logged in OK via jdbc dao. but enabled=false - can't login due to Bad Credentials error...

    So if it is working with enabled = true, why does it not throw "User is disabled" when enabled = false? Has anyone encountered this behavior before?

  • #2
    I just looked through DaoAuthenticationProvider source code - there are some additional security checks which imploy password encoder and salt - can this be a problem?

    Although the passwords are encoded with the same salt and encoder as the one injected into authentication provider...


    • #3
      Talking to myself here...

      If anyone is interested - the issue is caused by a chain of authentication providers. It seems that order of providers determines the error in the end - i had memory and jdbc daos, if jdbc was first - the bad credentials was shown, if last - user is disabled...

      Is this behavior specified somehow?!


      • #4
        JavaDocs for ProviderManager explain the chaining process.