SEC-1187: Moved pre-authentication status check inside try/catch block and repeated the call after reloading the user during the "cacheWasUsed" logic.

17 years ago · 6b53703e37
1 changed files with 3 additions and 3 deletions
--- a/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java
+++ b/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java
@ -135,16 +135,16 @@ public abstract class AbstractUserDetailsAuthenticationProvider implements Authe
				@@ -135,16 +135,16 @@ public abstract class AbstractUserDetailsAuthenticationProvider implements Authe
            Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract");
        }

-        preAuthenticationChecks.check(user);
-
        try {
+            preAuthenticationChecks.check(user);
            additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
        } catch (AuthenticationException exception) {
            if (cacheWasUsed) {
                // There was a problem, so try again after checking
-                // we're using latest data (ie not from the cache)
+                // we're using latest data (i.e. not from the cache)
                cacheWasUsed = false;
                user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
+                preAuthenticationChecks.check(user);
                additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
            } else {
                throw exception;