Description
Rob Winch (Migrated from SEC-2745) said:
I'm using HTTP Basic authentication with an LDAP server as a backend (using auth.ldapAuthentication().contextSource().url("ldap://ldap.example.com")). Everything is working fine, but when the LDAP server is down, Spring Security returns HTTP 401 instead of HTTP 500.
This is problematic because the client application tells the user that the username/password are incorrect, and then users will call support asking why their passwords have changed (when in fact they haven't).
I did some investigation and found that 401 is returned when any unhandled exception is thrown during authentication (For example, if UserDetailsService throws an exception because the database server is down).
To reproduce, simply use the following to configure the AuthenticationManagerBuilder:
auth.userDetailsService(new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
throw new RuntimeException("Database server down");
}
});