SEC-1919: Log error when fail to communicate with LDAP

Previously communication errors with LDAP were only logged at debug level. Communication errors (along with other non-authenticated related NamingExceptions) are now logged as error messages. We created an InternalAuthetnicationServiceException to represent errors that should be logged as errors to distinguish between internal and external authentication failures. For example, we do not want an OpenID Provider being able to report errors that cause our logs to fill up. However, an LDAP system is internal and should be trusted so logging at an error level makes sense.
2026-05-22 13:23:17 +00:00 · 2012-07-31 16:03:48 -05:00
parent a19cc8f1c7
commit a5ec116e80
6 changed files with 94 additions and 2 deletions
@@ -17,8 +17,8 @@ package org.springframework.security.ldap.authentication;

 import org.springframework.ldap.NamingException;
 import org.springframework.ldap.core.DirContextOperations;
-import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.InternalAuthenticationServiceException;
 import org.springframework.security.authentication.LockedException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
@@ -188,7 +188,7 @@ public class LdapAuthenticationProvider extends AbstractLdapAuthenticationProvid
                throw notFound;
            }
        } catch (NamingException ldapAccessFailure) {
-            throw new AuthenticationServiceException(ldapAccessFailure.getMessage(), ldapAccessFailure);
+            throw new InternalAuthenticationServiceException(ldapAccessFailure.getMessage(), ldapAccessFailure);
        }
    }

@@ -21,10 +21,12 @@ import static org.mockito.Mockito.*;
 import java.util.*;

 import org.junit.Test;
+import org.springframework.ldap.CommunicationException;
 import org.springframework.ldap.core.DirContextAdapter;
 import org.springframework.ldap.core.DirContextOperations;
 import org.springframework.ldap.core.DistinguishedName;
 import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.InternalAuthenticationServiceException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -39,6 +41,7 @@ import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper;
 * Tests {@link LdapAuthenticationProvider}.
 *
 * @author Luke Taylor
+ * @author Rob Winch
 */
 public class LdapAuthenticationProviderTests {

@@ -147,6 +150,22 @@ public class LdapAuthenticationProviderTests {
        assertTrue(AuthorityUtils.authorityListToSet(user.getAuthorities()).contains("ROLE_FROM_ENTRY"));
    }

+    @Test
+    public void authenticateWithNamingException() {
+        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken("ben", "benspassword");
+        LdapAuthenticator mockAuthenticator = mock(LdapAuthenticator.class);
+        CommunicationException expectedCause = new CommunicationException(new javax.naming.CommunicationException());
+        when(mockAuthenticator.authenticate(authRequest)).thenThrow(expectedCause);
+
+        LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(mockAuthenticator);
+        try {
+            ldapProvider.authenticate(authRequest);
+            fail("Expected Exception");
+        } catch(InternalAuthenticationServiceException success) {
+            assertSame(expectedCause, success.getCause());
+        }
+    }
+
    //~ Inner Classes ==================================================================================================

    class MockAuthenticator implements LdapAuthenticator {