From 5364db2c27b4954d035edb610d213ce503f9624c Mon Sep 17 00:00:00 2001
From: Ben Alex <ben.alex@springsource.com>
Date: Fri, 15 Sep 2006 03:36:51 +0000
Subject: [PATCH] SEC-328: Avoid unnecessarily hitting backend a second time,
 if the cache wasn't used in first place.

---
 .../AbstractUserDetailsAuthenticationProvider.java  | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/core/src/main/java/org/acegisecurity/providers/dao/AbstractUserDetailsAuthenticationProvider.java b/core/src/main/java/org/acegisecurity/providers/dao/AbstractUserDetailsAuthenticationProvider.java
index 11772b5762..ae109ed193 100644
--- a/core/src/main/java/org/acegisecurity/providers/dao/AbstractUserDetailsAuthenticationProvider.java
+++ b/core/src/main/java/org/acegisecurity/providers/dao/AbstractUserDetailsAuthenticationProvider.java
@@ -145,10 +145,15 @@ public abstract class AbstractUserDetailsAuthenticationProvider implements Authe
         try {
             additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
         } catch (AuthenticationException exception) {
-            // There was a problem, so try again after checking we're using latest data
-            cacheWasUsed = false;
-            user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
-            additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
+        	if(cacheWasUsed) {
+                // There was a problem, so try again after checking
+        		// we're using latest data (ie not from the cache)
+                cacheWasUsed = false;
+                user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
+                additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
+        	} else {
+        		throw exception;
+		    }
         }
 
         if (!user.isCredentialsNonExpired()) {