only active users should be able to login

scm-webapp/src/main/java/sonia/scm/web/security/BasicSecurityContext.java

@@ -129,58 +129,7 @@ public class BasicSecurityContext implements WebSecurityContext
 
     if ((ar != null) && (ar.getState() == AuthenticationState.SUCCESS))
     {
-      user = ar.getUser();
+      authenticate(request, password, ar);
-
-      try
-      {
-        Set<String> groupSet = createGroupSet(ar);
-
-        // check for admin user
-        checkForAuthenticatedAdmin(user, groupSet);
-
-        // store user
-        User dbUser = userManager.get(user.getName());
-
-        if (dbUser != null)
-        {
-          checkForDBAdmin(user, dbUser);
-        }
-
-        // create new user
-        else
-        {
-          userManager.create(user);
-        }
-
-        groups = groupSet;
-
-        if (logger.isDebugEnabled())
-        {
-          logGroups();
-        }
-
-        // store encrypted credentials in session
-        String credentials = user.getName();
-
-        if (Util.isNotEmpty(password))
-        {
-          credentials = credentials.concat(":").concat(password);
-        }
-
-        credentials = CipherUtil.getInstance().encode(credentials);
-        request.getSession(true).setAttribute(SCM_CREDENTIALS, credentials);
-      }
-      catch (Exception ex)
-      {
-        user = null;
-
-        if (groups != null)
-        {
-          groups.clear();
-        }
-
-        logger.error("authentication failed", ex);
-      }
     }
 
     return user;
@@ -261,25 +210,100 @@ public class BasicSecurityContext implements WebSecurityContext
    * Method description
    *
    *
-   * @param user
+   * @param request
-   * @param groupSet
+   * @param password
+   * @param ar
    */
-  private void checkForAuthenticatedAdmin(User user, Set<String> groupSet)
+  private void authenticate(HttpServletRequest request, String password,
+                            AuthenticationResult ar)
   {
-    if (!user.isAdmin())
+    user = ar.getUser();
-    {
-      user.setAdmin(isAdmin(groupSet));
 
-      if (logger.isDebugEnabled() && user.isAdmin())
+    try
     {
-        logger.debug("user '{}' is marked as admin by configuration",
+      Set<String> groupSet = createGroupSet(ar);
-                     user.getName());
+
+      // check for admin user
+      checkForAuthenticatedAdmin(user, groupSet);
+
+      // store user
+      User dbUser = userManager.get(user.getName());
+
+      if (dbUser != null)
+      {
+        checkDBForAdmin(user, dbUser);
+        checkDBForActive(user, dbUser);
+      }
+
+      // create new user
+      else
+      {
+        userManager.create(user);
+      }
+
+      if (user.isActive())
+      {
+        groups = groupSet;
+
+        if (logger.isDebugEnabled())
+        {
+          logGroups();
+        }
+
+        // store encrypted credentials in session
+        String credentials = user.getName();
+
+        if (Util.isNotEmpty(password))
+        {
+          credentials = credentials.concat(":").concat(password);
+        }
+
+        credentials = CipherUtil.getInstance().encode(credentials);
+        request.getSession(true).setAttribute(SCM_CREDENTIALS, credentials);
+      }
+      else
+      {
+        if (logger.isWarnEnabled())
+        {
+          logger.warn("user '{}' is deactivated", user.getName());
+        }
+
+        user = null;
+        groups = null;
       }
     }
-    else if (logger.isDebugEnabled())
+    catch (Exception ex)
     {
-      logger.debug("authenticator {} marked user '{}' as admin",
+      user = null;
-                   user.getType(), user.getName());
+
+      if (groups != null)
+      {
+        groups.clear();
+      }
+
+      logger.error("authentication failed", ex);
+    }
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param user
+   * @param dbUser
+   */
+  private void checkDBForActive(User user, User dbUser)
+  {
+
+    // user is deactivated by database
+    if (!dbUser.isActive())
+    {
+      if (logger.isDebugEnabled())
+      {
+        logger.debug("user '{}' is marked as deactivated by local database");
+      }
+
+      user.setActive(false);
     }
   }
 
@@ -293,7 +317,7 @@ public class BasicSecurityContext implements WebSecurityContext
    * @throws IOException
    * @throws UserException
    */
-  private void checkForDBAdmin(User user, User dbUser)
+  private void checkDBForAdmin(User user, User dbUser)
           throws UserException, IOException
   {
 
@@ -317,6 +341,32 @@ public class BasicSecurityContext implements WebSecurityContext
     }
   }
 
+  /**
+   * Method description
+   *
+   *
+   * @param user
+   * @param groupSet
+   */
+  private void checkForAuthenticatedAdmin(User user, Set<String> groupSet)
+  {
+    if (!user.isAdmin())
+    {
+      user.setAdmin(isAdmin(groupSet));
+
+      if (logger.isDebugEnabled() && user.isAdmin())
+      {
+        logger.debug("user '{}' is marked as admin by configuration",
+                     user.getName());
+      }
+    }
+    else if (logger.isDebugEnabled())
+    {
+      logger.debug("authenticator {} marked user '{}' as admin",
+                   user.getType(), user.getName());
+    }
+  }
+
   /**
    * Method description
    *

scm-webapp/src/main/java/sonia/scm/web/security/DefaultAuthenticationHandler.java

@@ -105,7 +105,8 @@ public class DefaultAuthenticationHandler implements AuthenticationHandler
     AuthenticationResult result = null;
     User user = userManager.get(username);
 
-    if (user != null)
+    // return not found, if the user is not active
+    if (user != null && user.isActive())
     {
       if (userManager.getDefaultType().equals(user.getType()))
       {