Spring security - Spring doesn't check on isAccountNonLocked for UserDetails on correct login

Question

I'm using Spring 2.5.6 and Spring security 2.0.

For login attempts I implements the UserDetails class on my User class. So the User class implements isAccountNonLocked() after a wrong login (dispatch the AuthenticationFailureBadCredentialsEvent, I handle this with a Eventlistener) Spring called this function from my User class to check if account is locked. I implements this as follow:

public boolean isAccountNonLocked() {
    if (this.getFailedLoginAttempts() >= MAX_FAILED_LOGIN_ATTEMPTS) {  
        return false;  
    }
    return this.accountNonLocked;  
}

This work great with bad credentials, but when I filled in the correct credentials he never call this function. So if you fill in the correct credentials he doesn't check if the User is locked , so he always logged in even if failedLoginAttempts is higher than MAX_FAILED_LOGIN_ATTEMPTS or if the account is locked.

I even implements the AuthenticationSuccessEvent and if you fill in correct credentials he is handle this registerd eventlistener( doing some stuff to set failedLoginAttempts back to 0 after a good login )

Is this a bug in Spring 2.5.6? or is it something I forgot...

Answer 1

Solved the problem.

I implements the function isAccountNonLocked in a Hibernate entity but my authenticationDao was a JBDC implementation instead of a HibernateDaoImpl. So after a custom implementation os UserDetails as HibernateDaoImpl problem was solved.

public class HibernateDaoImpl extends HibernateDaoSupport implements UserDetailsService {
    private         LoginDao        loginDao;
    private         UserroleDao     userroleDao;


    /* (non-Javadoc)
     * @see org.springframework.security.userdetails.UserDetailsService#loadUserByUsername(java.lang.String)
     */
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
        UserDetails login = loginDao.getLogin(username);

        return login;
    }

    /**
     * Loads authorities by executing the authoritiesByUsernameQuery.
     *  
     * @return a list of GrantedAuthority objects for the user
     */
    protected List loadUserAuthorities(String username) {
        return userroleDao.list(username);
    }

    public void setLoginDao(LoginDao loginDao) {
        this.loginDao = loginDao;
    }

    public void setUserroleDao(UserroleDao userroleDao) {
        this.userroleDao = userroleDao;
    }
}

And in the XML:

<b:bean id="authenticationDao1" class="com.logic8.panelmgm.support.HibernateDaoImpl" >
<b:property name="sessionFactory"><b:ref bean="sessionFactory"/></b:property>
<b:property name="loginDao"><b:ref bean="loginDao"/></b:property>
<b:property name="userroleDao"><b:ref bean="userroleDao"/></b:property>