[Acegisecurity-developer] checking for invalid user accounts in AuthenticationProvider implementations

Tim Kettering Thu, 23 Mar 2006 14:27:06 -0800

Hey all,

Can someone (Ben?) explain if it is expected to check the various
UserDetails states such as isAccountNonExpired(),
isAccountNonLocked(), isCredentialsNonExpired(), and isEnabled() in a
AuthenticationProvider?  This seems to be applied inconsistently...


We had originally been using DaoAuthenticationProvider, which in its
code does those checks, then we switched over to the
JaasAuthenticationProvider and after seeing some logins that occured
that shouldn't have occured, I tracked down the issue to
JaasAuthenticationProvider not doing those checks at all.  Looking at
CasAuthenticationProvider, this seems to not either.

Maybe it'd be useful if those checks found in
DaoAuthenticationProvider be made available as a pluggable component
that other AuthenticationProviders can utilize?

Thanks,

-tim


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] checking for invalid user accounts in AuthenticationProvider implementations

Reply via email to