SEC-2906: RemoteAuthenticationException not being caught

[spring-projects-issues]

Philipp Nanz (Migrated from SEC-2906) said:

When using the RemoteAuthenticationProvider, on the server-side the AuthenticationException is repackaged into a less verbose RemoteAuthenticationException (see RemoteAuthenticationManagerImpl), presumbly in order not to accidentally expose any critical information.

Once the result has reached the client side, the exception is simply passed on though. Since the RemoteAuthenticationException is not a subclass of AuthenticationException it falls through in every following catch block, eventually hitting the uncaught exception handler of the servlet.

[spring-projects-issues]

Philipp Nanz said:

A simple work-around right now looks like this:

public class GracefulRemoteAuthenticationProvider extends
        RemoteAuthenticationProvider {

    /* (non-Javadoc)
     * @see org.springframework.security.authentication.rcp.RemoteAuthenticationProvider#authenticate(org.springframework.security.core.Authentication)
     */
    @Override
    public Authentication authenticate(Authentication authentication)
            throws AuthenticationException {
        try {
            return super.authenticate(authentication);
        } catch (RemoteAuthenticationException e) {
            throw new BadCredentialsException(e.getMessage());
        }
    }
}