SEC-1938: Add ActiveDirectoryAuthenticationException as caused by for ActiveDirectoryAuthenticationProvider

Previously there was no way to extract the original exception or to easily obtain details about the failure if Spring Security was not able to translate the exception into a Spring Security AuthenticationException. Now the caused by is an ActiveDirectoryAuthenticationException which contains the original Active Directory error code.
14 years ago · 37aed0660d
3 changed files with 120 additions and 10 deletions
--- a/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryAuthenticationException.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryAuthenticationException.java
@ -0,0 +1,48 @@
				@@ -0,0 +1,48 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.springframework.security.ldap.authentication.ad;
+
+import org.springframework.security.core.AuthenticationException;
+
+/**
+ * <p>
+ * Thrown as a translation of an {@link javax.naming.AuthenticationException} when attempting to authenticate against
+ * Active Directory using {@link ActiveDirectoryLdapAuthenticationProvider}. Typically this error is wrapped by an
+ * {@link AuthenticationException} since it does not provide a user friendly message. When wrapped, the original
+ * Exception can be caught and {@link ActiveDirectoryAuthenticationException} can be accessed using
+ * {@link AuthenticationException#getCause()} for custom error handling.
+ * </p>
+ * <p>
+ * The {@link #getDataCode()} will return the error code associated with the data portion of the error message. For
+ * example, the following error message would return 773 for {@link #getDataCode()}.
+ * </p>
+ *
+ * <pre>
+ * javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 775, vece ]
+ * </pre>
+ *
+ * @author Rob Winch
+ */
+@SuppressWarnings("serial")
+public final class ActiveDirectoryAuthenticationException extends AuthenticationException {
+    private final String dataCode;
+
+    ActiveDirectoryAuthenticationException(String dataCode, String message, Throwable cause) {
+        super(message, cause);
+        this.dataCode = dataCode;
+    }
+
+    public String getDataCode() {
+        return dataCode;
+    }
+}
--- a/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProvider.java
@ -1,3 +1,15 @@
				@@ -1,3 +1,15 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
 package org.springframework.security.ldap.authentication.ad;

 import org.springframework.ldap.core.DirContextOperations;
@ -61,6 +73,7 @@ import java.util.regex.Pattern;
				@@ -61,6 +73,7 @@ import java.util.regex.Pattern;
 * {@code true}, the codes will also be used to control the exception raised.
 *
 * @author Luke Taylor
+ * @author Rob Winch
 * @since 3.1
 */
 public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLdapAuthenticationProvider {
@ -115,7 +128,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
				@@ -115,7 +128,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda

        } catch (NamingException e) {
            logger.error("Failed to locate directory entry for authenticated user: " + username, e);
-            throw badCredentials();
+            throw badCredentials(e);
        } finally {
            LdapUtils.closeContext(ctx);
        }
@ -165,7 +178,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
				@@ -165,7 +178,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
        } catch (NamingException e) {
            if ((e instanceof AuthenticationException) || (e instanceof OperationNotSupportedException)) {
                handleBindException(bindPrincipal, e);
-                throw badCredentials();
+                throw badCredentials(e);
            } else {
                throw LdapUtils.convertLdapException(e);
            }
@ -183,7 +196,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
				@@ -183,7 +196,7 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
            logger.info("Active Directory authentication failed: " + subCodeToLogMessage(subErrorCode));

            if (convertSubErrorCodesToExceptions) {
-                raiseExceptionForErrorCode(subErrorCode);
+                raiseExceptionForErrorCode(subErrorCode, exception);
            }
        } else {
            logger.debug("Failed to locate AD-specific sub-error code in message");
@ -200,20 +213,24 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
				@@ -200,20 +213,24 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
        return -1;
    }

-    void raiseExceptionForErrorCode(int code) {
+    void raiseExceptionForErrorCode(int code, NamingException exception) {
+        String hexString = Integer.toHexString(code);
+        Throwable cause = new ActiveDirectoryAuthenticationException(hexString, exception.getMessage(), exception);
        switch (code) {
            case PASSWORD_EXPIRED:
                throw new CredentialsExpiredException(messages.getMessage("LdapAuthenticationProvider.credentialsExpired",
-                        "User credentials have expired"));
+                        "User credentials have expired"), cause);
            case ACCOUNT_DISABLED:
                throw new DisabledException(messages.getMessage("LdapAuthenticationProvider.disabled",
-                        "User is disabled"));
+                        "User is disabled"), cause);
            case ACCOUNT_EXPIRED:
                throw new AccountExpiredException(messages.getMessage("LdapAuthenticationProvider.expired",
-                        "User account has expired"));
+                        "User account has expired"), cause);
            case ACCOUNT_LOCKED:
                throw new LockedException(messages.getMessage("LdapAuthenticationProvider.locked",
-                        "User account is locked"));
+                        "User account is locked"), cause);
+            default:
+                throw badCredentials(cause);
        }
    }

@ -245,6 +262,10 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
				@@ -245,6 +262,10 @@ public final class ActiveDirectoryLdapAuthenticationProvider extends AbstractLda
                        "LdapAuthenticationProvider.badCredentials", "Bad credentials"));
    }

+    private BadCredentialsException badCredentials(Throwable cause) {
+        return (BadCredentialsException) badCredentials().initCause(cause);
+    }
+
    private DirContextOperations searchForUser(DirContext ctx, String username) throws NamingException {
        SearchControls searchCtls = new SearchControls();
        searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
--- a/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java
+++ b/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java
@ -1,10 +1,27 @@
				@@ -1,10 +1,27 @@
+/*
+ * Copyright 2002-2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
 package org.springframework.security.ldap.authentication.ad;

 import static org.junit.Assert.*;
 import static org.mockito.Mockito.*;
 import static org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.ContextFactory;

+import org.hamcrest.BaseMatcher;
+import org.hamcrest.CoreMatchers;
+import org.hamcrest.Description;
+import org.hamcrest.Matcher;
 import org.junit.*;
+import org.junit.rules.ExpectedException;
 import org.springframework.ldap.core.DirContextAdapter;
 import org.springframework.ldap.core.DistinguishedName;
 import org.springframework.security.authentication.AccountExpiredException;
@ -29,8 +46,12 @@ import java.util.*;
				@@ -29,8 +46,12 @@ import java.util.*;

 /**
 * @author Luke Taylor
+ * @author Rob Winch
 */
 public class ActiveDirectoryLdapAuthenticationProviderTests {
+    @Rule
+    public ExpectedException thrown = ExpectedException.none();
+
    ActiveDirectoryLdapAuthenticationProvider provider;
    UsernamePasswordAuthenticationToken joe = new UsernamePasswordAuthenticationToken("joe", "password");

@ -127,10 +148,30 @@ public class ActiveDirectoryLdapAuthenticationProviderTests {
				@@ -127,10 +148,30 @@ public class ActiveDirectoryLdapAuthenticationProviderTests {
        provider.authenticate(joe);
    }

-    @Test(expected = BadCredentialsException.class)
+    @Test
    public void passwordNeedsResetIsCorrectlyMapped() {
-        provider.contextFactory = createContextFactoryThrowing(new AuthenticationException(msg + "773, xxxx]"));
+        final String dataCode = "773";
+        provider.contextFactory = createContextFactoryThrowing(new AuthenticationException(msg + dataCode+", xxxx]"));
        provider.setConvertSubErrorCodesToExceptions(true);
+
+        thrown.expect(BadCredentialsException.class);
+        thrown.expect(new BaseMatcher<BadCredentialsException>() {
+            private Matcher<Object> causeInstance = CoreMatchers.instanceOf(ActiveDirectoryAuthenticationException.class);
+            private Matcher<String> causeDataCode = CoreMatchers.equalTo(dataCode);
+            public boolean matches(Object that) {
+                Throwable t = (Throwable) that;
+                ActiveDirectoryAuthenticationException cause = (ActiveDirectoryAuthenticationException) t.getCause();
+                return causeInstance.matches(cause) && causeDataCode.matches(cause.getDataCode());
+            }
+
+            public void describeTo(Description desc) {
+                desc.appendText("getCause() ");
+                causeInstance.describeTo(desc);
+                desc.appendText("getCause().getDataCode() ");
+                causeDataCode.describeTo(desc);
+            }
+        });
+
        provider.authenticate(joe);
    }