Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent disabled user from logging in on reactive applications #7113

Closed
eleftherias opened this issue Jul 17, 2019 · 1 comment · Fixed by #7119
Closed

Prevent disabled user from logging in on reactive applications #7113

eleftherias opened this issue Jul 17, 2019 · 1 comment · Fixed by #7119
Assignees
@eleftherias
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Milestone
5.2.0.M4

Comments

@eleftherias
Copy link
Contributor

Summary

In servlet applications, if a user account is disabled, locked or expired, then the user is not permitted to log in.
In reactive applications, the user is still permitted to log in regardless of their account status.

The reactive applications should behave like the servlet application by default, and prevent disabled, locked or expired accounts from logging in.
@eleftherias eleftherias added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Jul 17, 2019
@eleftherias
Copy link
Contributor Author

This functionality is handled by the pre and post authentication checks in the AbstractUserDetailsAuthenticationProvider for servlet applications.
Reactive applications do not have pre authentication checks and have a noop post authentication check, as seen in UserDetailsRepositoryReactiveAuthenticationManager.
Instead, they should have the same checks that the servlet applications have.
Additionally, there should be a higher level class, similar to AbstractUserDetailsAuthenticationProvider for reactive applications, where these checks are defined.

@eleftherias eleftherias added the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label Jul 18, 2019
@eddumelendez eddumelendez mentioned this issue Jul 21, 2019
Merged
eddumelendez added a commit to eddumelendez/spring-security that referenced this issue Jul 24, 2019
@eddumelendez
Prevent authentication when user is inactive for reactive apps
47b2986 
Currently, reactive applications doesn't perform validation when user
is locked, disabled or expired. This commit introduces these validations.

Fixes spring-projectsgh-7113
eleftherias pushed a commit that referenced this issue Jul 29, 2019
@eddumelendez @eleftherias
Prevent authentication when user is inactive for reactive apps
8e6e975 
Currently, reactive applications doesn't perform validation when user
is locked, disabled or expired. This commit introduces these validations.

Fixes gh-7113
@eleftherias eleftherias added this to the 5.2.0.M4 milestone Jul 29, 2019
@eleftherias eleftherias self-assigned this Jul 29, 2019
@rwinch rwinch removed the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label Aug 5, 2019
kostya05983 pushed a commit to kostya05983/spring-security that referenced this issue Aug 26, 2019
@eddumelendez @kostya05983
Prevent authentication when user is inactive for reactive apps
86b0dea 
Currently, reactive applications doesn't perform validation when user
is locked, disabled or expired. This commit introduces these validations.

Fixes spring-projectsgh-7113
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eleftherias eleftherias

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
5.2.0.M4
2 participants
@rwinch @eleftherias