Major Description
in our portal a new created user has to confirm it's password via email.
So we set the password to NOT enabled after user creation:
User user = userManager.getUser(userName);
PasswordCredential pwc = userManager.getPasswordCredential(user);
pwc.setEnabled(false);
userManager.storePasswordCredential(pwc);
But the user can immediately log in, although the password is disabled.
I verified this in the database (security_credential.IS_ENABLED = 0).
The bug seems to be in the
UserPasswordCredentialManagerImpl.getAuthenticatedPasswordCredential
where isEnabled() is never checked !