Class JmixDaoAuthenticationProvider
- All Implemented Interfaces:
org.springframework.beans.factory.Aware,org.springframework.beans.factory.InitializingBean,org.springframework.context.MessageSourceAware,org.springframework.security.authentication.AuthenticationProvider
DaoAuthenticationProvider that never passes a null or blank stored password to the
configured PasswordEncoder.
Users without a local password (for example, users synchronized from an external identity provider
such as LDAP) cannot be authenticated by this provider. For such users the credentials check fails
with a regular BadCredentialsException instead of letting a delegating password encoder raise
an IllegalArgumentException ("The name of the password encoder is improperly formatted or
incomplete...") on a null/empty stored password.
This matters since Spring Security 6.5.10 (fix for CVE-2026-22746): the additional credentials check is
now performed even when pre-authentication checks fail (see
AbstractUserDetailsAuthenticationProvider.setAlwaysPerformAdditionalChecksOnUser(boolean)),
and an IllegalArgumentException raised there is not treated as an authentication failure, so it
aborts the whole ProviderManager chain instead of
letting the next provider (e.g. the LDAP bind provider) authenticate the user.
-
Field Summary
Fields inherited from class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider
hideUserNotFoundExceptions, logger, messages -
Constructor Summary
ConstructorsConstructorDescriptionJmixDaoAuthenticationProvider(org.springframework.security.core.userdetails.UserDetailsService userDetailsService) -
Method Summary
Modifier and TypeMethodDescriptionprotected voidadditionalAuthenticationChecks(org.springframework.security.core.userdetails.UserDetails userDetails, org.springframework.security.authentication.UsernamePasswordAuthenticationToken authentication) Methods inherited from class org.springframework.security.authentication.dao.DaoAuthenticationProvider
createSuccessAuthentication, doAfterPropertiesSet, getPasswordEncoder, getUserDetailsService, retrieveUser, setCompromisedPasswordChecker, setPasswordEncoder, setUserDetailsPasswordServiceMethods inherited from class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider
afterPropertiesSet, authenticate, getPostAuthenticationChecks, getPreAuthenticationChecks, getUserCache, isForcePrincipalAsString, isHideUserNotFoundExceptions, setAlwaysPerformAdditionalChecksOnUser, setAuthoritiesMapper, setForcePrincipalAsString, setHideUserNotFoundExceptions, setMessageSource, setPostAuthenticationChecks, setPreAuthenticationChecks, setUserCache, supports
-
Constructor Details
-
JmixDaoAuthenticationProvider
public JmixDaoAuthenticationProvider(org.springframework.security.core.userdetails.UserDetailsService userDetailsService)
-
-
Method Details
-
additionalAuthenticationChecks
protected void additionalAuthenticationChecks(org.springframework.security.core.userdetails.UserDetails userDetails, org.springframework.security.authentication.UsernamePasswordAuthenticationToken authentication) throws org.springframework.security.core.AuthenticationException - Overrides:
additionalAuthenticationChecksin classorg.springframework.security.authentication.dao.DaoAuthenticationProvider- Throws:
org.springframework.security.core.AuthenticationException
-