FacebookAuthProvider doesn't honor enabled or passwordExpired

[maurociancio]

Hi there,
I've been integrating this plugin into my app. I rely in enabled and passwordExpired flags that are provided by Spring Security to disable user access and to force a password change.

I've tested a couple of cases and I've found out that the plugin does not honor these flags. So, even if an user has enabled=false the plugin allows the user to log in.

Have anyone thought of this case?
Thanks for any pointers that can help me.

[maurociancio]

Thanks for the fix, @splix 😄

[splix]

Please try version 0.15.4 (or 0.15.4-CORE2, depending on which version of spring-security-core you're using)

Also, make sure that you've configured postAuthenticationChecks bean, by default Spring Security Core uses DefaultPostAuthenticationChecks, that takes isCredentialsNonExpired() only. I guess, you need to use AccountStatusUserDetailsChecker instead.

Like following code in spring/resources.groovy:

beans = {
   postAuthenticationChecks(org.springframework.security.authentication.AccountStatusUserDetailsChecker)
}

[maurociancio]

Thanks for the tip.
I'll try it as soon as I can. I've found a workaround to this issue, so it may take a while.

[maurociancio]

For the record... I had to save in the session the username that tried to login in order to work with the default workflow of spring security before throwing CredentialsExpiredException.

final GrailsWebRequest webRequest = WebUtils.retrieveGrailsWebRequest()
webRequest.session[UsernamePasswordAuthenticationFilter.SPRING_SECURITY_LAST_USERNAME_KEY] = escapeHtml(usuario.username)