Announcement Announcement Module
Collapse
No announcement yet.
Bug: Spring security 3 ignoring disabled/locked flags when authenticating with OpenID Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Bug: Spring security 3 ignoring disabled/locked flags when authenticating with OpenID

    Our application uses both name/password logins as well as OpenID. We needed to add the possibility of locking/disabling accounts. While this worked without problems for name/password logins, OpenID seems to ignore the flags. Consider this listing from my log:
    Code:
    DEBUG o.s.s.o.OpenIDAuthenticationFilter - Authentication success.
    Updating SecurityContextHolder to contain:
    [[email protected]48da1:
    Principal: mypackage.UserInfo@ddd49b1b:
    Username: cbada36792e42a3be5a5e0f77d14e918186c7e3f;
    Password: [PROTECTED];
    Enabled: false;
    AccountNonExpired: true;
    credentialsNonExpired: true;
    AccountNonLocked: true;
    Granted Authorities: ROLE_USER;
    Credentials: [PROTECTED];
    Authenticated: true;
    Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a:
    RemoteIpAddress: 127.0.0.1;
    SessionId: 1arhd8er0sj1yynglq8linpnb;
    Granted Authorities: ROLE_USER,
    attributes : []]
    The user is authenticated even though the account is not enabled! The same thing happens for locked users. It seems to be a serious security bug.

    (More details available in my original question at SO.)

  • #2
    This does appear to be a bug. Please log a JIRA https://jira.springsource.org/browse/SEC

    Comment

    Working...
    X