SEC-537: Allow customized account status checking in AbstractUserDetailsAuthenticationProvider.authenticate method #798
Labels
in: core
An issue in spring-security-core
type: enhancement
A general enhancement
type: jira
An issue that was migrated from JIRA
Milestone
Gerr Magnus Mes(Migrated from SEC-537) said:
Methods isAccountNonLocked(), isEnabled(), isAccountNonExpired() are invoked before checking credentials (before additionalAuthenticationChecks). So I can get any user status (locked, disabled, etc) even if I don’t now user credentials.
The text was updated successfully, but these errors were encountered: