Check validity of username and password before authentication process

0
votes

I am using Spring Security 3.2.5. I use ActiveDirectoryLdapAuthenticationProvider for my authentication provider. But I want to check my username and password before authenticating through Active Directory. For example, Before authentication process starts via Active Directory, I want to check that username and password are not equal and there is no space in them or their size is not smaller than special size.

Update: Spring Security does not allow empty username and/or password and raise this exception: Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials.

I have looking around in different filters and I think I should do this checking in UsernamePasswordAuthenticationFilter but I am not sure and I don't know how to do it. I highly appreciate your help.

Thanks in advance.

Best Regards, /Samaneh

1
spring-security

1 Answers

1
votes

By default Spring Security should error if the user attempts to submit an empty username or password. As far as testing password criteria prior to LDAP authentication attempt, that seems inherently insecure. By testing a precondition you may give an attacker insight as to what the password may be. Additionally, short circuiting the LDAP binding attempt would effectively circumvent any maximum invalid attempt threshold configured in Active Directory.

Simply put, when it comes to authentication, we don't want to give the user any specific details other than the username and password you provided were wrong.