Reorder DaoAuthenticationProvider exception logic as per developer list discussion.

2005-05-18 01:40:45 +00:00 · 2005-05-18 01:40:45 +00:00 · cfb8271826
parent ecbfac2ff8
commit cfb8271826
2 changed files with 20 additions and 19 deletions
--- a/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
+++ b/core/src/main/java/org/acegisecurity/providers/dao/DaoAuthenticationProvider.java
@ -237,24 +237,6 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
            }
        }

-        if (!user.isEnabled()) {
-            if (this.context != null) {
-                context.publishEvent(new AuthenticationFailureDisabledEvent(
-                        authentication, user));
-            }
-
-            throw new DisabledException("User is disabled");
-        }
-
-        if (!user.isAccountNonExpired()) {
-            if (this.context != null) {
-                context.publishEvent(new AuthenticationFailureAccountExpiredEvent(
-                        authentication, user));
-            }
-
-            throw new AccountExpiredException("User account has expired");
-        }
-
        if (!user.isAccountNonLocked()) {
            if (this.context != null) {
                context.publishEvent(new AuthenticationFailureAccountLockedEvent(
@ -281,7 +263,25 @@ public class DaoAuthenticationProvider implements AuthenticationProvider,
            }
        }

-        if (!user.isCredentialsNonExpired()) {
+        if (!user.isEnabled()) {
+            if (this.context != null) {
+                context.publishEvent(new AuthenticationFailureDisabledEvent(
+                        authentication, user));
+            }
+
+            throw new DisabledException("User is disabled");
+        }
+
+        if (!user.isAccountNonExpired()) {
+            if (this.context != null) {
+                context.publishEvent(new AuthenticationFailureAccountExpiredEvent(
+                        authentication, user));
+            }
+
+            throw new AccountExpiredException("User account has expired");
+        }
+
+		if (!user.isCredentialsNonExpired()) {
            if (this.context != null) {
                context.publishEvent(new AuthenticationFailureCredentialsExpiredEvent(
                        authentication, user));
--- a/doc/xdocs/changes.xml
+++ b/doc/xdocs/changes.xml
@ -26,6 +26,7 @@
  </properties>
  <body>
    <release version="0.9.0" date="In CVS">
+      <action dev="benalex" type="update">Reorder DaoAuthenticationProvider exception logic as per developer list discussion</action>        
      <action dev="benalex" type="update">ContextHolder refactored and replaced by SecurityContextHolder</action>        
      <action dev="benalex" type="fix">Made AclEntry Serializable (correct issue with BasicAclEntryCache)</action>        
      <action dev="luke_t" type="update">Changed order of credentials verification and expiry checking in DaoAuthenticationProvider. Password must now be successfully verified before expired credentials are reported. </action>