Reputation: 57988
LdapAuthenticationProvider not checking if user is not active
I can auth my website with either ldap or by looking in db using different spring security authentication providers.
When i use the database auth, i use UserDetailsService, which correctly checks if my user is notActive and throws DisabledException correctly.
but using LdapAuthenticationProvider this does not occur. why?
spring security 2.0.1
Upvotes: 0
Views: 659
Answers (1)
Reputation: 3106
Which LdapAuthenticator are you using? If you use BindAuthenticator it will bind as the given user, eventually the directory server should reject if the user account disabled/expired.
I haven't used LdapAuthenticationProvider myself, but if its not done automatically you can retrieve the userdetails, The UserDetails class has bunch of methods to check weather the account is enabled/locked/expired.
Upvotes: 1
Related Questions
- LDAP authentication using Spring security 2.0.3
- LDAP + Spring: how to correctly authenticate?
- LDAP authentication with Spring Security
- LDAP authentication with Java config
- Spring Security + LDAP always returns BadCredentialsException
- Spring security authentication using LDAP
- Custom Ldapauthenticationprovider spring security
- LDAP Authentication with Spring Security 3
- Spring security ldap authenticate first
- Spring Security LDAP - login problem (ProviderNotFoundException)