symfony
diff --git a/‎src/Symfony/Component/Security/Guard/GuardAuthenticatorInterface.php‎
Lines changed: 5 additions & 1 deletion b/‎src/Symfony/Component/Security/Guard/GuardAuthenticatorInterface.php‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Guard/Provider/GuardAuthenticationProvider.php‎
Lines changed: 4 additions & 1 deletion b/‎src/Symfony/Component/Security/Guard/Provider/GuardAuthenticationProvider.php‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Guard/Tests/Provider/GuardAuthenticationProviderTest.php‎
Lines changed: 36 additions & 1 deletion b/‎src/Symfony/Component/Security/Guard/Tests/Provider/GuardAuthenticationProviderTest.php‎
Lines changed: 36 additions & 1 deletion
@@ -73,7 +73,11 @@ public function getCredentials(Request $request);
     public function getUser($credentials, UserProviderInterface $userProvider);
 
     /**
-     * Throw an AuthenticationException if the credentials are invalid.
+     * Returns true if the credentials are valid.
+     *
+     * If any value other than true is returned, authentication will
+     * fail. You may also throw an AuthenticationException if you wish
+     * to cause authentication to fail.
      *
      * The *credentials* are the return value from getCredentials()
      *
 
@@ -13,6 +13,7 @@
 
 use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
 use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
 use Symfony\Component\Security\Guard\GuardAuthenticatorInterface;
 use Symfony\Component\Security\Guard\Token\GuardTokenInterface;
@@ -122,7 +123,9 @@ private function authenticateViaGuard(GuardAuthenticatorInterface $guardAuthenti
         }
 
         $this->userChecker->checkPreAuth($user);
-        $guardAuthenticator->checkCredentials($token->getCredentials(), $user);
+        if (true !== $guardAuthenticator->checkCredentials($token->getCredentials(), $user)) {
+            throw new BadCredentialsException(sprintf('Authentication failed because %s::checkCredentials() did not return true.', get_class($guardAuthenticator)));
+        }
         $this->userChecker->checkPostAuth($user);
 
         // turn the UserInterface into a TokenInterface
 
@@ -60,7 +60,9 @@ public function testAuthenticate()
         // checkCredentials is called
         $authenticatorB->expects($this->once())
             ->method('checkCredentials')
-            ->with($enteredCredentials, $mockedUser);
+            ->with($enteredCredentials, $mockedUser)
+            // authentication works!
+            ->will($this->returnValue(true));
         $authedToken = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');
         $authenticatorB->expects($this->once())
             ->method('createAuthenticatedToken')
@@ -80,6 +82,39 @@ public function testAuthenticate()
         $this->assertSame($authedToken, $actualAuthedToken);
     }
 
+    /**
+     * @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
+     */
+    public function testCheckCredentialsReturningNonTrueFailsAuthentication()
+    {
+        $providerKey = 'my_uncool_firewall';
+
+        $authenticator = $this->getMock('Symfony\Component\Security\Guard\GuardAuthenticatorInterface');
+
+        // make sure the authenticator is used
+        $this->preAuthenticationToken->expects($this->any())
+            ->method('getGuardProviderKey')
+            // the 0 index, to match the only authenticator
+            ->will($this->returnValue('my_uncool_firewall_0'));
+
+        $this->preAuthenticationToken->expects($this->atLeastOnce())
+            ->method('getCredentials')
+            ->will($this->returnValue('non-null-value'));
+
+        $mockedUser = $this->getMock('Symfony\Component\Security\Core\User\UserInterface');
+        $authenticator->expects($this->once())
+            ->method('getUser')
+            ->will($this->returnValue($mockedUser));
+        // checkCredentials is called
+        $authenticator->expects($this->once())
+            ->method('checkCredentials')
+            // authentication fails :(
+            ->will($this->returnValue(null));
+
+        $provider = new GuardAuthenticationProvider(array($authenticator), $this->userProvider, $providerKey, $this->userChecker);
+        $provider->authenticate($this->preAuthenticationToken);
+    }
+
     /**
      * @expectedException \Symfony\Component\Security\Core\Exception\AuthenticationExpiredException
      */
Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,11 @@ public function getCredentials(Request $request);`
`73`	`73`	`public function getUser($credentials, UserProviderInterface $userProvider);`
`74`	`74`
`75`	`75`	`/**`
`76`		`- * Throw an AuthenticationException if the credentials are invalid.`
	`76`	`+ * Returns true if the credentials are valid.`
	`77`	`+ *`
	`78`	`+ * If any value other than true is returned, authentication will`
	`79`	`+ * fail. You may also throw an AuthenticationException if you wish`
	`80`	`+ * to cause authentication to fail.`
`77`	`81`	`*`
`78`	`82`	`* The credentials are the return value from getCredentials()`
`79`	`83`	`*`