Description
ShiroRealm.doGetAuthenticationInfo() fetches the full DashboardUserVO from the database on every authenticated request, which includes the enabled field. However, it does not check this field. As a result, a user whose account is administratively disabled retains full access using any previously-issued JWT until the token expires (default 24 hours).
Affected File:
shenyu-admin/src/main/java/org/apache/shenyu/admin/shiro/config/ShiroRealm.java
Proposed Change:
Add an enabled check immediately after the null check in doGetAuthenticationInfo():
javaif (!Boolean.TRUE.equals(dashboardUserVO.getEnabled())) {
throw new AuthenticationException(
String.format("user(%s) is disabled.", userName));
}
Acceptance Criteria:
A disabled user's JWT is rejected immediately on the next request after the account is disabled.
The fix requires no additional database queries (the enabled field is already loaded).
Existing tests for authentication pass; a new test covers the disabled-user case.
Task List
No response
Description
ShiroRealm.doGetAuthenticationInfo() fetches the full DashboardUserVO from the database on every authenticated request, which includes the enabled field. However, it does not check this field. As a result, a user whose account is administratively disabled retains full access using any previously-issued JWT until the token expires (default 24 hours).
Affected File:
shenyu-admin/src/main/java/org/apache/shenyu/admin/shiro/config/ShiroRealm.java
Proposed Change:
Add an enabled check immediately after the null check in doGetAuthenticationInfo():
javaif (!Boolean.TRUE.equals(dashboardUserVO.getEnabled())) {
throw new AuthenticationException(
String.format("user(%s) is disabled.", userName));
}
Acceptance Criteria:
A disabled user's JWT is rejected immediately on the next request after the account is disabled.
The fix requires no additional database queries (the enabled field is already loaded).
Existing tests for authentication pass; a new test covers the disabled-user case.
Task List
No response