Announcement Announcement Module
Collapse
No announcement yet.
Status before credentials? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Status before credentials?

    I have a question about the order of events in AbstractUserDetailsAuthenticationProvider, and also about authentication in general. It's related to this code:

    Code:
            preAuthenticationChecks.check(user);
            
            // This check must come here, as we don't want to tell users
            // about account status unless they presented the correct credentials
            try {
                additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
            } catch (AuthenticationException exception) {
    That comment "This check must come here, as we don't want to tell users about account status unless they presented the correct credentials" doesn't seem to describe what is being done. And I see the same thing in Acegi Security 1.0.6. Rather than doing what the comment says, it checks status and throws exceptions (preAuthenticationChecks) _before_ it checks credentials (additionalAuthenticationChecks), at least in the DaoAuthenticationProvider case.

    I think I agree with the comment rather than the code. Am I missing something?

    Also on these lines, and why I was looking at this, I'd like to have a secure DAO layer. That is, at least for my needs, I don't think it should be possible to ask a UserDetailsService for user details without presenting the credentials simultaneously. That is, just like the LDAP implementation uses the password for retrieveUser (earlier in code than the above snip), I'd like to use the password for DAO cases.

    I can work around this with little code by subclassing DaoAuthenticationProvider. I'm just asking about why this model was made generally. Summary of my two questions:

    1. Should the credentials be checked before checking status?
    2. Should DaoAuthenticationProvider.retrieveUser() be more credentials-oriented (and therefore also passing credentials into UserDetailsService).

    Thanks for any pointers on this topic.

  • #2
    Originally posted by tompalmer View Post

    1. Should the credentials be checked before checking status?
    http://forum.springframework.org/showthread.php?t=49166

    2. Should DaoAuthenticationProvider.retrieveUser() be more credentials-oriented (and therefore also passing credentials into UserDetailsService).
    The UserDetailsService is intended to retrieve the data for use by the authentication provider, which actually performs the authentication. There may be situations where you may need more information for this than just the username, but I'm not clear why you think it would be more secure.

    Comment


    • #3
      Thanks for the link on status-before-password. I had done some Googling but not explicit searching in the forum or JIRA. Apologies for missing that.

      Concerning the UserDetailsService, it's not about security as a whole system but more about security at the data access layer independently of Spring Security. That is, it would be nice to have the data access layer require a secret before exposing data.

      Comment

      Working...
      X