Class JmixDaoAuthenticationProvider

java.lang.Object
org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider
org.springframework.security.authentication.dao.DaoAuthenticationProvider
io.jmix.core.security.impl.JmixDaoAuthenticationProvider
All Implemented Interfaces:
org.springframework.beans.factory.Aware, org.springframework.beans.factory.InitializingBean, org.springframework.context.MessageSourceAware, org.springframework.security.authentication.AuthenticationProvider

@NullMarked public class JmixDaoAuthenticationProvider extends org.springframework.security.authentication.dao.DaoAuthenticationProvider
A DaoAuthenticationProvider that never passes a null or blank stored password to the configured PasswordEncoder.

Users without a local password (for example, users synchronized from an external identity provider such as LDAP) cannot be authenticated by this provider. For such users the credentials check fails with a regular BadCredentialsException instead of letting a delegating password encoder raise an IllegalArgumentException ("The name of the password encoder is improperly formatted or incomplete...") on a null/empty stored password.

This matters since Spring Security 6.5.10 (fix for CVE-2026-22746): the additional credentials check is now performed even when pre-authentication checks fail (see AbstractUserDetailsAuthenticationProvider.setAlwaysPerformAdditionalChecksOnUser(boolean)), and an IllegalArgumentException raised there is not treated as an authentication failure, so it aborts the whole ProviderManager chain instead of letting the next provider (e.g. the LDAP bind provider) authenticate the user.

  • Field Summary

    Fields inherited from class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

    hideUserNotFoundExceptions, logger, messages
  • Constructor Summary

    Constructors
    Constructor
    Description
    JmixDaoAuthenticationProvider(org.springframework.security.core.userdetails.UserDetailsService userDetailsService)
     
  • Method Summary

    Modifier and Type
    Method
    Description
    protected void
    additionalAuthenticationChecks(org.springframework.security.core.userdetails.UserDetails userDetails, org.springframework.security.authentication.UsernamePasswordAuthenticationToken authentication)
     

    Methods inherited from class org.springframework.security.authentication.dao.DaoAuthenticationProvider

    createSuccessAuthentication, doAfterPropertiesSet, getPasswordEncoder, getUserDetailsService, retrieveUser, setCompromisedPasswordChecker, setPasswordEncoder, setUserDetailsPasswordService

    Methods inherited from class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

    afterPropertiesSet, authenticate, getPostAuthenticationChecks, getPreAuthenticationChecks, getUserCache, isForcePrincipalAsString, isHideUserNotFoundExceptions, setAlwaysPerformAdditionalChecksOnUser, setAuthoritiesMapper, setForcePrincipalAsString, setHideUserNotFoundExceptions, setMessageSource, setPostAuthenticationChecks, setPreAuthenticationChecks, setUserCache, supports

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Constructor Details

    • JmixDaoAuthenticationProvider

      public JmixDaoAuthenticationProvider(org.springframework.security.core.userdetails.UserDetailsService userDetailsService)
  • Method Details

    • additionalAuthenticationChecks

      protected void additionalAuthenticationChecks(org.springframework.security.core.userdetails.UserDetails userDetails, org.springframework.security.authentication.UsernamePasswordAuthenticationToken authentication) throws org.springframework.security.core.AuthenticationException
      Overrides:
      additionalAuthenticationChecks in class org.springframework.security.authentication.dao.DaoAuthenticationProvider
      Throws:
      org.springframework.security.core.AuthenticationException