I'm using Spring 2.5.6 and Spring security 2.0.
For login attempts I implements the UserDetails class on my User class. So the User class implements isAccountNonLocked()
after a wrong login (dispatch the AuthenticationFailureBadCredentialsEvent
, I handle this with a Eventlistener
) Spring called this function from my User class to check if account is locked. I implements this as follow:
public boolean isAccountNonLocked() {
if (this.getFailedLoginAttempts() >= MAX_FAILED_LOGIN_ATTEMPTS) {
return false;
}
return this.accountNonLocked;
}
This work great with bad credentials, but when I filled in the correct credentials he never call this function. So if you fill in the correct credentials he doesn't check if the User is locked , so he always logged in even if failedLoginAttempts
is higher than MAX_FAILED_LOGIN_ATTEMPTS
or if the account is locked.
I even implements the AuthenticationSuccessEvent
and if you fill in correct credentials he is handle this registerd eventlistener( doing some stuff to set failedLoginAttempts back to 0 after a good login )
Is this a bug in Spring 2.5.6? or is it something I forgot...