Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
NOT calling setPlainPassword() as this clears the password property #1
eraseCredentials() is called after login, just to make sure you don't store any
I hope this helps - this is a very common problem to hit - your other setup looks very cool :).
eraseCredentials() is called after login, just to make sure you don't store any plain text passwords on the User object and put it into the session or something. However, by calling setPlainPassword(), not only was the plainPassword cleared, the encoded `password` property was *also* cleared. This meant that the User object was serialized into the session with *no* password. On the next request, when the User was refreshed, the refreshed User object and the serialized User object appeared to have different passwords, suggesting that the user had changed his password and remotely and our session should be terminated.