You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Ross <ro...@s4-technology.com> on 2013/06/06 12:12:58 UTC
Can't get JndiLdapRealm to throw IncorrectCredentialsException
Please excuse me if this is a known issue. I tried searching ldap issues but
couldn't see this problem. This is my first attempt at using shiro so I'll
happily admit it could be a fault on my side.
Shiro 1.2.2
I was following some examples on shiro configuration and trying to
authenticate against and LDAP user, using an Apache DS server. I can
authenticate valid details happily but when incorrect details are entered I
would have expected and IncorrectCredentialsException to be thrown, however
what I get is an AuthenticationException with the root cause of
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 -
INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user XXXXXX]
I'm I wrong in thinking that the JndiLdapRealm should have thrown
IncorrectCredentialsException?
Thanks in advance
Ross
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Can-t-get-JndiLdapRealm-to-throw-IncorrectCredentialsException-tp7578805.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Can't get JndiLdapRealm to throw IncorrectCredentialsException
Posted by Ross <ro...@s4-technology.com>.
Thanks for the prompt answer.
It is my first time using both Shiro and ApacheDS so wasn't sure what to
expect.
Ross
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Can-t-get-JndiLdapRealm-to-throw-IncorrectCredentialsException-tp7578805p7578819.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Can't get JndiLdapRealm to throw IncorrectCredentialsException
Posted by picpoc <gh...@gmail.com>.
Hi,
Probably because the LDAP error code 49 is a generic authentication failure
error, and does not necessarily imply that credentials are invalids. Real
reason behind the failure may be hidden in a subcode returned within the
error message (in your example "ERR_229", which I think is a real invalid
credentials error in ApacheDS). Unfortunately these "sub-errors" are vendor
specific... for instance some subcodes of error 49 with ActiveDirectory:
525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
532 - password expired
533 - account disabled
701 - account expired
773 - user must reset password
Thus, if you really want to throw meaningful subclasses of
AuthenticationException, you should override JNDI exception handling and
parse the error message according to your LDAP vendor spec.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Can-t-get-JndiLdapRealm-to-throw-IncorrectCredentialsException-tp7578805p7578813.html
Sent from the Shiro User mailing list archive at Nabble.com.