Announcement Announcement Module
Collapse
No announcement yet.
missing username/password exception in AuthenticationProcess Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • missing username/password exception in AuthenticationProcess

    I would like to throw a MissingUsernameException or MissingPasswordException in AuthenticationProcessingFilter if any of the username or password is missing. I would also like to inject information like emptyPasswordAllowed so that I can configure it required, or may be whether to check for empty username/password or not.

    Is this the right place to do that or may be in authentication manager or authentication provider? If so, is this something that could be added in a core implementation? Was there a specific reason thats its not already there.

  • #2
    I would suggest doing it from your AuthenticationProvider, particularly as AbstractProcessingFilter provides custom redirect targets. I am not sure it's really required in a core implementation - what extra use cases would it enable beyond the current exceptions?

    Comment


    • #3
      empty username just does not make sense anywhere. Even anonymous authentication have anonymous username.
      If I extend AuthenticationProcessingFilter, I can do that myself but then I will be just rewriting the whole attemptAttentication method. I do not want to write my own authenticationProvider just to achieve this. If obtainPassword and obtainUsername methods had exceptions, probably I could override these and throw my own exception (subclass of AuthenticationException).

      Comment


      • #4
        AuthenticationException is a RuntimeException (following Spring's general philosophy that checked exceptions are mostly evil) so you should be able to throw it from anywhere.

        As Ben says, it isn't really obvious what will be gained by this approach. Do you want to inform the user that they have to enter a username/password? Most people should be aware of their login information before accessing a system and it isn't normal to give any hints to the end user about why the authentication failed.

        Comment


        • #5
          I just want to avoid the full trip to my database and get the login failed although I should not even try to send the login credentials if username/password is missing.

          I can not think of any system that can allow empty username (except anonymous which is being handled differently here), thats the main reason I wanted it to be part of core.

          and ofcourse, it should be configurable so that you can decide to throw exception as some applications may allow empty passwords.

          anyway, I guess I can use the obtainUsername and obtainPassword methods to get my work done.

          Comment


          • #6
            Originally posted by gmansoor
            I just want to avoid the full trip to my database and get the login failed although I should not even try to send the login credentials if username/password is missing
            I would suggest you handle this in your AuthenticationDao implementation. If the username/password is missing, just throw UsernameNotFoundException.

            Comment

            Working...
            X