SEC-1156: Added check for enableAuthorities setting in deleteUser method of JdbcUserDetailsManager.

core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java

@@ -31,10 +31,10 @@ import java.util.List;
  * Jdbc user management service, based on the same table structure as its parent class, <tt>JdbcDaoImpl</tt>.
  * <p>
  * Provides CRUD operations for both users and groups. Note that if the {@link #setEnableAuthorities(boolean)
- * enableAuthorities} property is set to false, calls to createUser and updateUser will not store the
+ * enableAuthorities} property is set to false, calls to createUser, updateUser and deleteUser will not store the
- * authorities from the <tt>UserDetails</tt>. Since this class cannot differentiate between authorities which were
+ * authorities from the <tt>UserDetails</tt> or delete authorities for the user. Since this class cannot differentiate
- * loaded for an individual or for a group of which the individual is a member, it's important that you take this
+ * between authorities which were loaded for an individual or for a group of which the individual is a member,
- * into account when using this implementation for managing your users.
+ * it's important that you take this into account when using this implementation for managing your users.
  *
  * @author Luke Taylor
  * @version $Id$
@@ -178,7 +178,9 @@ public class JdbcUserDetailsManager extends JdbcDaoImpl implements UserDetailsMa
     }
 
     public void deleteUser(String username) {
-        deleteUserAuthorities(username);
+        if (getEnableAuthorities()) {
+            deleteUserAuthorities(username);
+        }
         getJdbcTemplate().update(deleteUserSql, new Object[] {username});
         userCache.removeUserFromCache(username);
     }