From 07e46fe4d56a03f1aee1231ce9760b53523070cf Mon Sep 17 00:00:00 2001 From: Ben Alex Date: Fri, 18 Mar 2005 00:06:09 +0000 Subject: [PATCH] Proper handling if the account is no longer allowed login. --- .../ui/rememberme/TokenBasedRememberMeServices.java | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/core/src/main/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServices.java b/core/src/main/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServices.java index 04ef52f45f..5a283b076e 100644 --- a/core/src/main/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServices.java +++ b/core/src/main/java/org/acegisecurity/ui/rememberme/TokenBasedRememberMeServices.java @@ -222,6 +222,18 @@ public class TokenBasedRememberMeServices implements RememberMeServices, return null; } + // Immediately reject if the user is not allowed to login + if (!userDetails.isAccountNonExpired() + || !userDetails.isCredentialsNonExpired() + || !userDetails.isEnabled()) { + cancelCookie(request, response, + "Cookie token[0] contained username '" + + cookieTokens[0] + + "' but account has expired, credentials have expired, or user is disabled"); + + return null; + } + // Check signature of token matches remaining details // Must do this after user lookup, as we need the DAO-derived password // If efficiency was a major issue, just add in a UserCache implementation,