LdapLoginServlet: Improve exception handling
* Handle AuthenticationFailedException separately:
This exception is a subclass of AccountException that is thrown if the
user provides wrong credentials. For this exception we want to return
"Invalid username or password." as message to the client.
* Return a more general message for other AccountExceptions:
Likely they are not caused by invalid username or password since this
would cause a AuthenticationFailedException which we handle before.
* Increase log level to warning:
This is the log level that we use for these exceptions in other places
(e.g. ProjectBasicAuthFilter). Make it consistent.
* Log the stacktrace for AccountExceptions:
We do this everywhere else (e.g. ProjectBasicAuthFilter,
HttpLoginServlet). Make it consistent.
Change-Id: Ie34687d087b5a6cd102bf8cebd0f9830f54c9c1c
Signed-off-by: Edwin Kempin <ekempin@google.com>
diff --git a/java/com/google/gerrit/httpd/auth/ldap/LdapLoginServlet.java b/java/com/google/gerrit/httpd/auth/ldap/LdapLoginServlet.java
index 24ba4ac..4671475 100644
--- a/java/com/google/gerrit/httpd/auth/ldap/LdapLoginServlet.java
+++ b/java/com/google/gerrit/httpd/auth/ldap/LdapLoginServlet.java
@@ -30,6 +30,7 @@
import com.google.gerrit.server.account.AccountUserNameException;
import com.google.gerrit.server.account.AuthRequest;
import com.google.gerrit.server.account.AuthResult;
+import com.google.gerrit.server.account.AuthenticationFailedException;
import com.google.gerrit.server.auth.AuthenticationUnavailableException;
import com.google.gwtexpui.server.CacheHeaders;
import com.google.inject.Inject;
@@ -126,10 +127,16 @@
} catch (AuthenticationUnavailableException e) {
sendForm(req, res, "Authentication unavailable at this time.");
return;
- } catch (AccountException e) {
- log.info(String.format("'%s' failed to sign in: %s", username, e.getMessage()));
+ } catch (AuthenticationFailedException e) {
+ // This exception is thrown if the user provided wrong credentials, we don't need to log a
+ // stacktrace for it.
+ log.warn("'{}' failed to sign in: {}", username, e.getMessage());
sendForm(req, res, "Invalid username or password.");
return;
+ } catch (AccountException e) {
+ log.warn("'{}' failed to sign in", username, e);
+ sendForm(req, res, "Authentication failed.");
+ return;
} catch (RuntimeException e) {
log.error("LDAP authentication failed", e);
sendForm(req, res, "Authentication unavailable at this time.");