Spring security 3 ignoring blocked / blocked flags when authenticating with OpenID

I am working on a web application that uses Spring Security 3.0.7 to authenticate users either by username or password, or using OpenID. Now I need to disable some accounts. At first I could not find the relevant documentation, but finally I recognized User.isEnabled () :

Indicates whether the user is enabled or disabled. A user with disabled access cannot be authenticated.

the value for this flag is specified in the constructor.

When authenticated using a form, it works fine. Unfortunately, it seems that Spring OpenID completely ignores the flag. I wrote down as much as I could, and I see in the journal:

DEBUG oss..OpenIDAuthenticationFilter - Authentication Success. SecurityContextHolder update to accommodate: [ org.springframework.security.openid.OpenIDAuthenticationToken@66 348da1: Principal: mypackage.UserInfo@ddd49b1b : Username: cbada36792e42a3be5a5e0f77d14e918186c7e3f; Password Protected]; Enabled: false; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Authorization granted: ROLE_USER; Credentials: [PROTECTION]; Authenticated: true; Details: org.sprin gframework.security.web.authentication.WebAuthenticationDetails@ fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 1arhd8er0sj1yynglq8linpnb; Authorization granted: ROLE_USER, attributes: []]

How can authentication succeed in a disconnected account? (Same thing if I try to lock my account.)

Did I miss something important? Or is it just a mistake? Any ideas on what to look for, what else needs to be done for journaling?

My XML configuration:

<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <global-method-security secured-annotations="enabled"> </global-method-security> <http use-expressions="true" auto-config="true"> <intercept-url pattern="/" access="permitAll" /> <!-- ... other pattens --> <form-login login-page="/" authentication-success-handler-ref="loginSuccessHandler" /> <remember-me data-source-ref="dataSource" user-service-ref="myUserDetails"/> <openid-login user-service-ref="openIdAuth" authentication-success-handler-ref="loginSuccessHandler" authentication-failure-handler-ref="openIdFailureHandler" > <attribute-exchange> <openid-attribute name="email" type="http://axschema.org/contact/email" required="true" /> <openid-attribute name="name" type="http://axschema.org/namePerson" /> </attribute-exchange> </openid-login> <logout success-handler-ref="logoutSuccessHandler"/> </http> <authentication-manager> <authentication-provider ref="daoAuthenticationProvider"/> </authentication-manager> <beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <beans:property name="userDetailsService" ref="myUserDetails"/> <beans:property name="saltSource" ref="saltSource"/> <beans:property name="passwordEncoder" ref="passwordEncoder"/> <beans:property name="preAuthenticationChecks"> <beans:bean class="org.springframework.security.authentication.AccountStatusUserDetailsChecker"/> </beans:property> </beans:bean> </beans:beans> 

Here myUserDetails is my user bean that loads the user from the database and returns a simple user implementation of User :

 public class UserInfo extends User { public UserInfo(UserEntity user) { super( user.getUserName(), user.getPassword(), !user.isDisabled(), // enabled true, // non-expired true, // credentials non-expired !user.isLocked(), // non-locked UserInfo.authorities(user) // my static method ); // store some info for further reference here // ... } // ... }