Skip to content

[Task] Enforce account enabled check on every authenticated request in ShiroRealm #6399

Description

@Aias00

Description

ShiroRealm.doGetAuthenticationInfo() fetches the full DashboardUserVO from the database on every authenticated request, which includes the enabled field. However, it does not check this field. As a result, a user whose account is administratively disabled retains full access using any previously-issued JWT until the token expires (default 24 hours).
Affected File:

shenyu-admin/src/main/java/org/apache/shenyu/admin/shiro/config/ShiroRealm.java
Proposed Change:

Add an enabled check immediately after the null check in doGetAuthenticationInfo():
javaif (!Boolean.TRUE.equals(dashboardUserVO.getEnabled())) {
throw new AuthenticationException(
String.format("user(%s) is disabled.", userName));
}
Acceptance Criteria:

A disabled user's JWT is rejected immediately on the next request after the account is disabled.
The fix requires no additional database queries (the enabled field is already loaded).
Existing tests for authentication pass; a new test covers the disabled-user case.

Task List

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions