Bug: Spring security 3 ignoring disabled/locked flags when authenticating with OpenID

[petrp]

Our application uses both name/password logins as well as OpenID. We needed to add the possibility of locking/disabling accounts. While this worked without problems for name/password logins, OpenID seems to ignore the flags. Consider this listing from my log:

Code:

DEBUG o.s.s.o.OpenIDAuthenticationFilter - Authentication success.
Updating SecurityContextHolder to contain:
[org.springframework.security.openid.OpenIDAuthenticationToken@66348da1:
Principal: mypackage.UserInfo@ddd49b1b:
Username: cbada36792e42a3be5a5e0f77d14e918186c7e3f;
Password: [PROTECTED];
Enabled: false;
AccountNonExpired: true;
credentialsNonExpired: true;
AccountNonLocked: true;
Granted Authorities: ROLE_USER;
Credentials: [PROTECTED];
Authenticated: true;
Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a:
RemoteIpAddress: 127.0.0.1;
SessionId: 1arhd8er0sj1yynglq8linpnb;
Granted Authorities: ROLE_USER,
attributes : []]

The user is authenticated even though the account is not enabled! The same thing happens for locked users. It seems to be a serious security bug.

(More details available in my original question at SO.)

[Rob Winch]

This does appear to be a bug. Please log a JIRA https://jira.springsource.org/browse/SEC