Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent disabled user from logging in on reactive applications #7113

Closed
eleftherias opened this issue Jul 17, 2019 · 1 comment

Comments

@eleftherias
Copy link
Contributor

commented Jul 17, 2019

Summary

In servlet applications, if a user account is disabled, locked or expired, then the user is not permitted to log in.
In reactive applications, the user is still permitted to log in regardless of their account status.

The reactive applications should behave like the servlet application by default, and prevent disabled, locked or expired accounts from logging in.

@eleftherias

This comment has been minimized.

Copy link
Contributor Author

commented Jul 17, 2019

This functionality is handled by the pre and post authentication checks in the AbstractUserDetailsAuthenticationProvider for servlet applications.
Reactive applications do not have pre authentication checks and have a noop post authentication check, as seen in UserDetailsRepositoryReactiveAuthenticationManager.
Instead, they should have the same checks that the servlet applications have.
Additionally, there should be a higher level class, similar to AbstractUserDetailsAuthenticationProvider for reactive applications, where these checks are defined.

eddumelendez added a commit to eddumelendez/spring-security that referenced this issue Jul 21, 2019

Add support to prevent authentication when user is locked, disabled o…
…r expired for reactive apps

Currently, reactive applications doesn't perform validation when user
is locked, disabled or expired. This commit introduces these validations.

Fixes spring-projectsgh-7113

eddumelendez added a commit to eddumelendez/spring-security that referenced this issue Jul 21, 2019

Add support to prevent authentication when user is locked, disabled o…
…r expired for reactive apps

Currently, reactive applications doesn't perform validation when user
is locked, disabled or expired. This commit introduces these validations.

Fixes spring-projectsgh-7113

eddumelendez added a commit to eddumelendez/spring-security that referenced this issue Jul 24, 2019

Prevent authentication when user is inactive for reactive apps
Currently, reactive applications doesn't perform validation when user
is locked, disabled or expired. This commit introduces these validations.

Fixes spring-projectsgh-7113

eleftherias added a commit that referenced this issue Jul 29, 2019

Prevent authentication when user is inactive for reactive apps
Currently, reactive applications doesn't perform validation when user
is locked, disabled or expired. This commit introduces these validations.

Fixes gh-7113

@eleftherias eleftherias added this to the 5.2.0.M4 milestone Jul 29, 2019

@eleftherias eleftherias self-assigned this Jul 29, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.