diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java
index 6cb4b49cf..28755fc73 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java
@@ -92,6 +92,9 @@ public abstract class Authenticator {
 	 * Behavior when userAccount is null depends on the particular
 	 * Authenticator. An answer of "true" presumably means that the user will be
 	 * permitted to login and create an account on the fly.
+	 * 
+	 * Note that this method may rely on the HttpServletRequest object that was
+	 * provided to the factory when this instance was created.
 	 */
 	public abstract boolean isUserPermittedToLogin(UserAccount userAccount);
 
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java
index 918630107..3e3aa3d97 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java
@@ -142,7 +142,10 @@ public class BasicAuthenticator extends Authenticator {
 
 	@Override
 	public void recordLoginAgainstUserAccount(UserAccount userAccount,
-			AuthenticationSource authSource) {
+			AuthenticationSource authSource) throws LoginNotPermitted {
+		if (!isUserPermittedToLogin(userAccount)) {
+			throw new LoginNotPermitted();
+		}
 		if (userAccount == null) {
 			log.error("Trying to record the login of a null user. ");
 			return;
diff --git a/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java b/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java
index 84fba7c0d..65c44b184 100644
--- a/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java
+++ b/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java
@@ -137,7 +137,11 @@ public class AuthenticatorStub extends Authenticator {
 
 	@Override
 	public void recordLoginAgainstUserAccount(UserAccount userAccount,
-			AuthenticationSource authSource) {
+			AuthenticationSource authSource) throws LoginNotPermitted {
+		if (!isUserPermittedToLogin(userAccount)) {
+			throw new LoginNotPermitted();
+		}
+
 		recordedLogins.add(userAccount.getEmailAddress());
 
 		LoginStatusBean lsb = new LoginStatusBean(userAccount.getUri(),