[SWS-555] Check User's status in SpringDigestPasswordValidationCallbackHandler Created: 23/Aug/09  Updated: 04/May/12  Resolved: 23/Aug/09

Status: Closed
Project: Spring Web Services
Component/s: Security
Affects Version/s: None
Fix Version/s: 1.5.8

Type: Bug Priority: Major
Reporter: Tareq Abedrabbo Assignee: Tareq Abedrabbo
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


SpringDigestPasswordValidationCallbackHandler relies on a UserDetailsService, which simply loads a User and does not verify its status. A check should be added on the combination of isCredentialsNonExpired(), isEnabled(), isAccountNonExpired() and isAccountNonLocked() to reject invalid users.

Comment by Arjen Poutsma [ 04/May/12 ]

Closing old issues

Generated at Tue Nov 13 15:52:38 UTC 2018 using JIRA 7.9.2#79002-sha1:3bb15b68ecd99a30eb364c4c1a393359bcad6278.