From 13c5750f5d58994276b6241484fa9e9b8a7df1f4 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gopivotal.com>
Date: Thu, 24 Apr 2014 17:03:34 -0500
Subject: [PATCH] SEC-2571: Improve wording of
 UsernamePasswordAuthenticationToken#setAuthenticated() error

---
 .../authentication/UsernamePasswordAuthenticationToken.java    | 2 +-
 .../UsernamePasswordAuthenticationTokenTests.java              | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java b/core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java
index 2e4181f203..89e181ddd2 100644
--- a/core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java
+++ b/core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java
@@ -85,7 +85,7 @@ public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationT
     public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
         if (isAuthenticated) {
             throw new IllegalArgumentException(
-                "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
+                "Once created you cannot set this token to authenticated. Create a new instance using the constructor which takes a GrantedAuthority list will mark this as authenticated.");
         }
 
         super.setAuthenticated(false);
diff --git a/core/src/test/java/org/springframework/security/authentication/UsernamePasswordAuthenticationTokenTests.java b/core/src/test/java/org/springframework/security/authentication/UsernamePasswordAuthenticationTokenTests.java
index d0218727be..7c38a535d3 100644
--- a/core/src/test/java/org/springframework/security/authentication/UsernamePasswordAuthenticationTokenTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/UsernamePasswordAuthenticationTokenTests.java
@@ -15,6 +15,7 @@
 
 package org.springframework.security.authentication;
 
+import static org.fest.assertions.Assertions.assertThat;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
@@ -58,6 +59,8 @@ public class UsernamePasswordAuthenticationTokenTests {
             token.setAuthenticated(true);
             fail("Should have prohibited setAuthenticated(true)");
         } catch (IllegalArgumentException expected) {
+            // SEC-2540
+            assertThat(expected).hasMessage("Once created you cannot set this token to authenticated. Create a new instance using the constructor which takes a GrantedAuthority list will mark this as authenticated.");
         }
     }