diff --git a/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java b/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java index 7ea66ad300..f8fa4d02a3 100644 --- a/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java +++ b/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java @@ -59,9 +59,17 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication if (this.saltSource != null) { salt = this.saltSource.getSalt(userDetails); } + + if (authentication.getCredentials() == null) { + throw new BadCredentialsException(messages.getMessage( + "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), + includeDetailsObject ? userDetails : null); + } + + String presentedPassword = authentication.getCredentials() == null ? "" : authentication.getCredentials().toString(); if (!passwordEncoder.isPasswordValid( - userDetails.getPassword(), authentication.getCredentials().toString(), salt)) { + userDetails.getPassword(), presentedPassword, salt)) { throw new BadCredentialsException(messages.getMessage( "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"), includeDetailsObject ? userDetails : null); diff --git a/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java b/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java index 9a35690cb4..b5cbe19b3f 100644 --- a/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java +++ b/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java @@ -78,6 +78,21 @@ public class DaoAuthenticationProviderTests extends TestCase { } } + public void testReceivedBadCredentialsWhenCredentialsNotProvided() { + // Test related to SEC-434 + DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); + provider.setUserDetailsService(new MockAuthenticationDaoUserMarissa()); + provider.setUserCache(new MockUserCache()); + + UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken("marissa", null); + try { + provider.authenticate(authenticationToken); // null pointer exception + fail("Expected BadCredenialsException"); + } catch (BadCredentialsException expected) { + assertTrue(true); + } + } + public void testAuthenticateFailsIfAccountExpired() { UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("peter", "opal");