-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider allowing to hide UserNotFoundException in PreAuthenticatedAuthenticationProvider #15450
Comments
I believe the reason is that the perspective changed over time on how applications would expose exceptions to the end user. It was also common at that time for exception messages to be translated into multiple languages for the same reason. Neither of these is a common case anymore. That said, can you tell me what you are trying to do and why the propagation of |
@jzheaux Let me just explain the background about the issue. It all started when I override to use However I'm wondering is there any simple way to control it more easily as the -- |
Would adapting the exception get rid of the Sonar error? It seems like Sonar is complaining because you are throwing So, as far as I can tell, the new flag wouldn't help you. Am I missing something? |
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
Actually, using alternative exception class inherits With that in mind, I was just wondering if the sonar complain could be handled by other recommended practices, or other new methods, as like spring-security setting level. However, I've got your point : If my understanding is correct, everything is fine. |
I'd like to hide
UsernameNotFoundException
inPreAuthenticatedAuthenticationProvider
as likeDaoAuthenticationProvider
Since I don't want to imply that the "username" doesn't exist through the class name itself, let alone the error message.
--
hideUserNotFoundExceptions
is allowed inAbstractUserDetailsAuthenticationProvider
which is inherited byDaoAuthenticationProvider
.--
PreAuthenticatedAuthenticationProvider
, which I'd like to use in my case, indicatesUsernameNotFoundException
might be thrown depends on its usage. In actual, AuthenticationUserDetailsService#loadUserDetails is able to throwUsernameNotFoundException
. But the class does not support any sort ofhideUserNotFoundExceptions
.--
My current alternatives/workarounds:
Currently it seems the class can handle
UsernameNotFoundException
asAuthenticationException
,So I create and use new Exception class which inherits
AuthenticationException
to avoid exposure of "Username"NotFoundException in case the exception is thrown.This works, but I'm curious why
PreAuthenticatedAuthenticationProvider
does not supporthideUserNotFoundExceptions
as likeAbstractUserDetailsAuthenticationProvider
.Thanks.
The text was updated successfully, but these errors were encountered: