2 files changed, 33 insertions, 14 deletions

diff --git a/Authentication/Provider/DaoAuthenticationProvider.php b/Authentication/Provider/DaoAuthenticationProvider.php
index 9a9f857..34880b2 100644
--- a/Authentication/Provider/DaoAuthenticationProvider.php
+++ b/Authentication/Provider/DaoAuthenticationProvider.php
@@ -55,12 +55,19 @@ class DaoAuthenticationProvider extends UserAuthenticationProvider
      */
     protected function checkAuthentication(AccountInterface $account, UsernamePasswordToken $token)
     {
-        if (!$presentedPassword = (string) $token->getCredentials()) {
-            throw new BadCredentialsException('Bad credentials');
-        }
+        $user = $token->getUser();
+        if ($user instanceof AccountInterface) {
+            if ($account->getPassword() !== $user->getPassword()) {
+                throw new BadCredentialsException('The credentials were changed from another session.');
+            }
+        } else {
+            if (!$presentedPassword = (string) $token->getCredentials()) {
+                throw new BadCredentialsException('Bad credentials');
+            }
 
-        if (!$this->passwordEncoder->isPasswordValid($account->getPassword(), $presentedPassword, $account->getSalt())) {
-            throw new BadCredentialsException('Bad credentials');
+            if (!$this->passwordEncoder->isPasswordValid($account->getPassword(), $presentedPassword, $account->getSalt())) {
+                throw new BadCredentialsException('Bad credentials');
+            }
         }
     }
 
@@ -69,19 +76,30 @@ class DaoAuthenticationProvider extends UserAuthenticationProvider
      */
     protected function retrieveUser($username, UsernamePasswordToken $token)
     {
-        $user = null;
+        $user = $token->getUser();
+        if ($user instanceof AccountInterface) {
+            return array($user, $token->getUserProviderName());
+        }
+
+        $result = null;
         try {
-            $user = $this->userProvider->loadUserByUsername($username);
+            $result = $this->userProvider->loadUserByUsername($username);
         } catch (UsernameNotFoundException $notFound) {
             throw $notFound;
         } catch (\Exception $repositoryProblem) {
             throw new AuthenticationServiceException($repositoryProblem->getMessage(), $token, 0, $repositoryProblem);
         }
 
-        if (!$user instanceof AccountInterface) {
+        if (!is_array($result) || 2 !== count($result)) {
+            throw new AuthenticationServiceException('User provider did not return an array, or array had invalid format.');
+        }
+        if (!$result[0] instanceof AccountInterface) {
             throw new AuthenticationServiceException('The user provider must return an AccountInterface object.');
         }
+        if (empty($result[1])) {
+            throw new AuthenticationServiceException('The user provider must return a non-empty user provider name.');
+        }
 
-        return $user;
+        return $result;
     }
 }
diff --git a/Authentication/Provider/UserAuthenticationProvider.php b/Authentication/Provider/UserAuthenticationProvider.php
index 60c58c1..f621e42 100644
--- a/Authentication/Provider/UserAuthenticationProvider.php
+++ b/Authentication/Provider/UserAuthenticationProvider.php
@@ -54,7 +54,7 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter
         $username = null === $token->getUser() ? 'NONE_PROVIDED' : (string) $token;
 
         try {
-            $user = $this->retrieveUser($username, $token);
+            $result = $this->retrieveUser($username, $token);
         } catch (UsernameNotFoundException $notFound) {
             if ($this->hideUserNotFoundExceptions) {
                 throw new BadCredentialsException('Bad credentials', 0, $notFound);
@@ -63,15 +63,16 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter
             throw $notFound;
         }
 
-        if (!$user instanceof AccountInterface) {
-            throw new AuthenticationServiceException('The retrieveUser() methods must return an AccountInterface object.');
+        if (!is_array($result) || 2 !== count($result)) {
+            throw new AuthenticationServiceException('retrieveUser() did not return an array, or array had invalid format.'); 
         }
+        list($user, $userProviderName) = $result;
 
         $this->accountChecker->checkPreAuth($user);
         $this->checkAuthentication($user, $token);
         $this->accountChecker->checkPostAuth($user);
 
-        return new UsernamePasswordToken($user, $token->getCredentials(), $user->getRoles());
+        return new UsernamePasswordToken($user, $token->getCredentials(), $userProviderName,  $user->getRoles());
     }
 
     /**
@@ -88,7 +89,7 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter
      * @param string                $username The username to retrieve
      * @param UsernamePasswordToken $token    The Token
      *
-     * @return AccountInterface The user
+     * @return array The user
      *
      * @throws AuthenticationException if the credentials could not be validated
      */