- the user account is expired or locked
- the user is enabled or not
- credentials are expired or not
By default, Spring configures a DaoAuthenticationProvider instance, and registers it in the default authentication manager. The main purpose of this provider is to let software developers choose the way they want to store UserDetails by setting an object implementing UserDetailsService. Such services have one function: load a user's details from its name. That's it! It can be a database, an in-memory database, etc...
If you want to implement your own UserDetailsService, Marc Serrano has provided a detailed example using a JPA Repository which eliminates a lot of the boiler-plate code. Such repositories are part of the Spring JPA Data features.
To implement a customized user and corresponding persistence, see the example available here.
More Spring related posts here.