During my testing of Auth and User providers, I’'ve managed to come across a rather strange situation:
I happen to be using the ntlm sasl authentication method (which doesn’‘t use any of the AuthProviders as far as I can guess). I’'m also using the LDAP User (and Group) providers, with a fairly restrictive filter: all users must have email addresses. (I think the bug can be duplicated by using ldap auth, db user provider, where the user does not exist in the database yet - or visa versa)
Now, if a user that doesn’‘t have an email address tries to login - the auth provider succeeds (because the password was right), but the user account is not found (because of the ldap filter). What’'s happening at the moment is that the user is being granted an anonymous session, even though anonymous access is disabled!
I’‘ve noticed that in many of the Auth providers, that after the user is successfully authenticated, there’‘s a check to see if the user can be loaded by the UserProvider ((//See if the user exists in the database. If not, automatically create them.)). This code is currently duplicate over the many providers - and is almost identical. Auth factory is currently used by doPlainAuthentication in SASLAuthentication - I’‘m not if it’'s used anywhere else.
So, surely the (duplicated) check if user account exists, and try create it if it doesn’'t code should be moved out of the Auth providers and into the SASL:authenticationSuccessful method. If the UserProvider is readonly (like LDAP), then the login should be rejected (authFailed). The user acct check will probably have to happen before the success reply is sent, and for ClientSessions only.