AuthenticationFailureExpiredEvent without user password

[valentim]

Hi folks,

Somebody can help me????

On login screen in my application, when some user (with account expired) try to login, the acegi should check the username and password before cheking if the account is expired, but I discovered that if the user only put your username the acegi throws an AccountExpiredException even with the password empty.

I have opened a JIRA too (http://opensource.atlassian.com/proj...rowse/SEC-420), but nobody answered the problem!!!

Thanks!!!!

[karldmoore]

I don't think this is a bug at all, it is just the way it works! If an account is locked, disabled or expired authentication isn't allowed. You don't even get as far as checking the password, why would you the account shouldn't be able to authenticate. If you would like to change the order of events here, then simply provide your own authenticationProvider, it is open source. Look at DaoAuthenticationProvider and its super-class for more information.

If you would like to suggest this as improvement, it might be an idea that you could specify whether to assert the account properties before or after password authentication. The default obviously being before.

[valentim]

I understood the problem (my problem) and solved, thanks for the help and sorry for the long time to answer

[karldmoore]

Not a problem, I'm glad you fixed your code. One of the main problems here is giving away a specific reason why the login is rejected. If you tell someone the account is locked, they know they have valid credentials and will simply try them at a later date e.g. once the timed locked has expired.