Proper handling if the account is no longer allowed login.

21 years ago · 07e46fe4d5
1 changed files with 12 additions and 0 deletions
--- a/core/src/main/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServices.java
+++ b/core/src/main/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServices.java
@ -222,6 +222,18 @@ public class TokenBasedRememberMeServices implements RememberMeServices,
				@@ -222,6 +222,18 @@ public class TokenBasedRememberMeServices implements RememberMeServices,
                            return null;
                        }

+                        // Immediately reject if the user is not allowed to login
+                        if (!userDetails.isAccountNonExpired()
+                            || !userDetails.isCredentialsNonExpired()
+                            || !userDetails.isEnabled()) {
+                            cancelCookie(request, response,
+                                "Cookie token[0] contained username '"
+                                + cookieTokens[0]
+                                + "' but account has expired, credentials have expired, or user is disabled");
+
+                            return null;
+                        }
+
                        // Check signature of token matches remaining details
                        // Must do this after user lookup, as we need the DAO-derived password
                        // If efficiency was a major issue, just add in a UserCache implementation,