whats the difference between Locked and Disabled exceptions?

[lagcisco]

I see that net.sf.acegisecurity.providers.dao.User has an isEnabled method, before I started using acegi I had a role named "LOGIN_ROLE" and this enabled the user to login, so this is what I mapped enabled to when using acegi, I also saw that there was a DisabledException thrown when the account was disabled and I simply display the user a message letting them know that their account has been disabled, anyhow, I also see this LockedException, how does this relate to DisabledException? how should it be used if ever?

[Ben Alex]

Disabled indicates an account has been administratively or automatically disabled for some reason. Usually some action is required to release it.

Locked indicates an account has been automatically suspended due to invalid login attempts. Usually the passage of time or (less often) requesting manual unlocking is required to release it.

The distinction is not used by Acegi Security code aside from providing more informative errors to the user. There is also an order in which different exceptions should be returned, so that a disabled or locked account for instance will not return a bad credentials exception. Refer to the JavaDocs for more details.