From 6ea889913486cb5737419ccffa075d28fcef0393 Mon Sep 17 00:00:00 2001
From: Ben Alex <ben.alex@springsource.com>
Date: Thu, 24 May 2007 00:47:12 +0000
Subject: [PATCH]

---
 .../providers/dao/DaoAuthenticationProvider.java  | 10 +++++++++-
 .../dao/DaoAuthenticationProviderTests.java       | 15 +++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java b/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
index 7ea66ad300..f8fa4d02a3 100644
--- a/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
+++ b/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
@@ -59,9 +59,17 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication
         if (this.saltSource != null) {
             salt = this.saltSource.getSalt(userDetails);
         }
+        
+        if (authentication.getCredentials() == null) {
+            throw new BadCredentialsException(messages.getMessage(
+                    "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"),
+                    includeDetailsObject ? userDetails : null);
+        }
+        
+        String presentedPassword = authentication.getCredentials() == null ? "" : authentication.getCredentials().toString();
 
         if (!passwordEncoder.isPasswordValid(
-                userDetails.getPassword(), authentication.getCredentials().toString(), salt)) {
+                userDetails.getPassword(), presentedPassword, salt)) {
             throw new BadCredentialsException(messages.getMessage(
                     "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"),
                     includeDetailsObject ? userDetails : null);
diff --git a/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java b/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
index 9a35690cb4..b5cbe19b3f 100644
--- a/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
+++ b/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
@@ -78,6 +78,21 @@ public class DaoAuthenticationProviderTests extends TestCase {
         }
     }
 
+    public void testReceivedBadCredentialsWhenCredentialsNotProvided() {
+    	// Test related to SEC-434
+        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+        provider.setUserDetailsService(new MockAuthenticationDaoUserMarissa());
+        provider.setUserCache(new MockUserCache());
+
+    	UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken("marissa", null);
+    	try {
+    		provider.authenticate(authenticationToken); // null pointer exception
+    		fail("Expected BadCredenialsException");
+    	} catch (BadCredentialsException expected) {
+    		assertTrue(true);
+    	}
+    }
+    
     public void testAuthenticateFailsIfAccountExpired() {
         UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("peter", "opal");