From c29a5731be2cae5040213720f009863e7b9c7cbd Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Mon, 25 Apr 2005 23:11:12 +0000
Subject: [PATCH] Moved credential expiry checking after password check. If the
 wrong password is presented, BadCredentialsException will now be thrown even
 if the password has expired.

---
 .../dao/DaoAuthenticationProvider.java        | 20 +++++++++----------
 .../dao/DaoAuthenticationProviderTests.java   | 10 ++++++++++
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java b/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
index a8ba4355e8..b9d5ce16f4 100644
--- a/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
+++ b/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
@@ -264,16 +264,6 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
             throw new LockedException("User account is locked");
         }
 
-        if (!user.isCredentialsNonExpired()) {
-            if (this.context != null) {
-                context.publishEvent(new AuthenticationFailureCredentialsExpiredEvent(
-                        authentication, user));
-            }
-
-            throw new CredentialsExpiredException(
-                "User credentials have expired");
-        }
-
         if (!isPasswordCorrect(authentication, user)) {
             // Password incorrect, so ensure we're using most current password
             if (cacheWasUsed) {
@@ -291,6 +281,16 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
             }
         }
 
+        if (!user.isCredentialsNonExpired()) {
+            if (this.context != null) {
+                context.publishEvent(new AuthenticationFailureCredentialsExpiredEvent(
+                        authentication, user));
+            }
+
+            throw new CredentialsExpiredException(
+                "User credentials have expired");
+        }        
+
         if (!cacheWasUsed) {
             // Put into cache
             this.userCache.putUserInCache(user);
diff --git a/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java b/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
index 40281275df..fea35f15b8 100644
--- a/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
+++ b/core/src/test/java/org/acegisecurity/providers/dao/DaoAuthenticationProviderTests.java
@@ -154,6 +154,16 @@ public class DaoAuthenticationProviderTests extends TestCase {
         } catch (CredentialsExpiredException expected) {
             assertTrue(true);
         }
+
+        // Check that wrong password causes BadCredentialsException, rather than CredentialsExpiredException
+        token = new UsernamePasswordAuthenticationToken("peter", "wrong_password");
+
+        try {
+            provider.authenticate(token);
+            fail("Should have thrown BadCredentialsException");
+        } catch (BadCredentialsException expected) {
+            assertTrue(true);
+        }
     }
 
     public void testAuthenticateFailsIfUserDisabled() {