You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Ross <ro...@s4-technology.com> on 2013/06/06 12:12:58 UTC

Can't get JndiLdapRealm to throw IncorrectCredentialsException

Please excuse me if this is a known issue. I tried searching ldap issues but
couldn't see this problem. This is my first attempt at using shiro so I'll
happily admit it could be a fault on my side.

Shiro 1.2.2

I was following some examples on shiro configuration and trying to
authenticate against and LDAP user, using an Apache DS server. I can
authenticate valid details happily but when incorrect details are entered I
would have expected and IncorrectCredentialsException to be thrown, however
what I get is an AuthenticationException with the root cause of
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 -
INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user XXXXXX]

I'm I wrong in thinking that the JndiLdapRealm should have thrown
IncorrectCredentialsException?

Thanks in advance

Ross



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Can-t-get-JndiLdapRealm-to-throw-IncorrectCredentialsException-tp7578805.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Can't get JndiLdapRealm to throw IncorrectCredentialsException

Posted by Ross <ro...@s4-technology.com>.

Thanks for the prompt answer.

It is my first time using both Shiro and ApacheDS so wasn't sure what to 
expect.


Ross





--
View this message in context: http://shiro-user.582556.n2.nabble.com/Can-t-get-JndiLdapRealm-to-throw-IncorrectCredentialsException-tp7578805p7578819.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Can't get JndiLdapRealm to throw IncorrectCredentialsException

Posted by picpoc <gh...@gmail.com>.

Hi,

Probably because the LDAP error code 49 is a generic authentication failure
error, and does not necessarily imply that credentials are invalids. Real
reason behind the failure may be hidden in a subcode returned within the
error message (in your example "ERR_229", which I think is a real invalid
credentials error in ApacheDS). Unfortunately these "sub-errors" are vendor
specific... for instance some subcodes of error 49 with ActiveDirectory:
    525 - user not found
    52e - invalid credentials
    530 - not permitted to logon at this time
    532 - password expired
    533 - account disabled
    701 - account expired
    773 - user must reset password

Thus, if you really want to throw meaningful subclasses of
AuthenticationException, you should override JNDI exception handling and
parse the error message according to your LDAP vendor spec.



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Can-t-get-JndiLdapRealm-to-throw-IncorrectCredentialsException-tp7578805p7578813.html
Sent from the Shiro User mailing list archive at Nabble.com.