Google Git
Sign in
gerrit / gerrit / 84b82dadcf6d04c5d31323d70cd134af49aa6b2b^! / .
commit84b82dadcf6d04c5d31323d70cd134af49aa6b2b[log] [tgz]
authorEdwin Kempin <ekempin@google.com>Wed May 16 16:12:25 2018 +0200
committerEdwin Kempin <ekempin@google.com>Thu May 17 08:05:39 2018 +0200
treee32e802de09c7b3e653ae141b831c0db0be1fd05
parent55ece33377af2b575a8f1d93d1d5ce68a90957cc [diff]
LdapLoginServlet: Improve exception handling

* Handle AuthenticationFailedException separately:
  This exception is a subclass of AccountException that is thrown if the
  user provides wrong credentials. For this exception we want to return
  "Invalid username or password." as message to the client.
* Return a more general message for other AccountExceptions:
  Likely they are not caused by invalid username or password since this
  would cause a AuthenticationFailedException which we handle before.
* Increase log level to warning:
  This is the log level that we use for these exceptions in other places
  (e.g. ProjectBasicAuthFilter). Make it consistent.
* Log the stacktrace for AccountExceptions:
  We do this everywhere else (e.g. ProjectBasicAuthFilter,
  HttpLoginServlet). Make it consistent.

Change-Id: Ie34687d087b5a6cd102bf8cebd0f9830f54c9c1c
Signed-off-by: Edwin Kempin <ekempin@google.com>

diff --git a/java/com/google/gerrit/httpd/auth/ldap/LdapLoginServlet.java b/java/com/google/gerrit/httpd/auth/ldap/LdapLoginServlet.java
index 24ba4ac..4671475 100644
--- a/java/com/google/gerrit/httpd/auth/ldap/LdapLoginServlet.java
+++ b/java/com/google/gerrit/httpd/auth/ldap/LdapLoginServlet.java

@@ -30,6 +30,7 @@
 import com.google.gerrit.server.account.AccountUserNameException;
 import com.google.gerrit.server.account.AuthRequest;
 import com.google.gerrit.server.account.AuthResult;
+import com.google.gerrit.server.account.AuthenticationFailedException;
 import com.google.gerrit.server.auth.AuthenticationUnavailableException;
 import com.google.gwtexpui.server.CacheHeaders;
 import com.google.inject.Inject;
@@ -126,10 +127,16 @@
     } catch (AuthenticationUnavailableException e) {
       sendForm(req, res, "Authentication unavailable at this time.");
       return;
-    } catch (AccountException e) {
-      log.info(String.format("'%s' failed to sign in: %s", username, e.getMessage()));
+    } catch (AuthenticationFailedException e) {
+      // This exception is thrown if the user provided wrong credentials, we don't need to log a
+      // stacktrace for it.
+      log.warn("'{}' failed to sign in: {}", username, e.getMessage());
       sendForm(req, res, "Invalid username or password.");
       return;
+    } catch (AccountException e) {
+      log.warn("'{}' failed to sign in", username, e);
+      sendForm(req, res, "Authentication failed.");
+      return;
     } catch (RuntimeException e) {
       log.error("LDAP authentication failed", e);
       sendForm(req, res, "Authentication unavailable at this time.");