Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider allowing to hide UserNotFoundException in PreAuthenticatedAuthenticationProvider #15450

Open
b1ueskydragon opened this issue Jul 22, 2024 · 5 comments
Open

Consider allowing to hide UserNotFoundException in PreAuthenticatedAuthenticationProvider #15450

b1ueskydragon opened this issue Jul 22, 2024 · 5 comments
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core status: feedback-provided Feedback has been provided type: enhancement A general enhancement

Comments

@b1ueskydragon
Copy link

b1ueskydragon commented Jul 22, 2024
edited
Loading

I'd like to hide UsernameNotFoundException in PreAuthenticatedAuthenticationProvider as like DaoAuthenticationProvider

Since I don't want to imply that the "username" doesn't exist through the class name itself, let alone the error message.

--

hideUserNotFoundExceptions is allowed in AbstractUserDetailsAuthenticationProvider which is inherited by DaoAuthenticationProvider.

--

PreAuthenticatedAuthenticationProvider , which I'd like to use in my case, indicates UsernameNotFoundException might be thrown depends on its usage. In actual, AuthenticationUserDetailsService#loadUserDetails is able to throw UsernameNotFoundException. But the class does not support any sort of hideUserNotFoundExceptions.

--

My current alternatives/workarounds:

Currently it seems the class can handle UsernameNotFoundException as AuthenticationException,

So I create and use new Exception class which inherits AuthenticationException to avoid exposure of "Username"NotFoundException in case the exception is thrown.

public class SampleUserDetailsService
        implements AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> {
    @Override
    public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token) {
        return Optional.ofNullable(token)
                       .map( /* normal case */ )
                       }).orElseThrow(() -> new SampleAuthenticationException());
    }

    private static class SampleAuthenticationException extends AuthenticationException {
        private SampleAuthenticationException() {
            super( /* any safe message */ );
        }
    }
}

This works, but I'm curious why PreAuthenticatedAuthenticationProvider does not support hideUserNotFoundExceptions as like AbstractUserDetailsAuthenticationProvider.

Thanks.
@b1ueskydragon b1ueskydragon added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jul 22, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Jul 22, 2024

I believe the reason is that the perspective changed over time on how applications would expose exceptions to the end user. It was also common at that time for exception messages to be translated into multiple languages for the same reason. Neither of these is a common case anymore.

That said, can you tell me what you are trying to do and why the propagation of UserNameNotFoundException is problematic in your case?

@jzheaux jzheaux self-assigned this Jul 22, 2024
@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 22, 2024
@b1ueskydragon
Copy link
Author

@jzheaux
Thank you for reply. Yes, basically I agree with your opinion.

Let me just explain the background about the issue.

It all started when I override to use #loadUserDetails and throw accompanying UserNameNotFoundException straightforwardly, then I got advice from sonarqube and I think It's on point.
However, It doesn't stop to advise until I stop throwing UserNameNotFoundException even I change the String message, and I consider the reason is, the class name UserName.... itself might be considered not-safe.
As the result I gave up to throw UserNameNotFoundException, use the unique exception which extends AuthenticationException instead, and it's fine,

However I'm wondering is there any simple way to control it more easily as the AuthenticationProvider level.

--

image1 image0

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Jul 25, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Jul 30, 2024

Would adapting the exception get rid of the Sonar error? It seems like Sonar is complaining because you are throwing UsernameNotFoundException. Even if the surrounding AuthenticationProvider did adapt it, it wouldn't resolve the Sonar error. It seems like the change Sonar wants you to make is to throw something else instead (like BadCredentialsException).

So, as far as I can tell, the new flag wouldn't help you. Am I missing something?

@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue and removed status: feedback-provided Feedback has been provided labels Jul 30, 2024
@spring-projects-issues
Copy link

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

@spring-projects-issues spring-projects-issues added the status: feedback-reminder We've sent a reminder that we need additional information before we can continue label Aug 6, 2024
@b1ueskydragon
Copy link
Author

b1ueskydragon commented Aug 7, 2024
edited
Loading

@jzheaux

Actually, using alternative exception class inherits AuthenticationException(e.g. SampleAuthenticationException mentioned in my main text OR BadCredentialsException introduced in your commend) had solved the sonar complaint.

With that in mind, I was just wondering if the sonar complain could be handled by other recommended practices, or other new methods, as like spring-security setting level.

However, I've got your point :
The name of class UsernameNotFoundException itself has no problem, and just using alternative exceptions according to the scene, which I actually conducted, is enough and really fine.

If my understanding is correct, everything is fine.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue status: feedback-reminder We've sent a reminder that we need additional information before we can continue labels Aug 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core status: feedback-provided Feedback has been provided type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jzheaux @spring-projects-issues @b1ueskydragon