- set the principal in the security context - Refuse password reset request for locked and disabled accounts