New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default user password shouldn't be logged if OAuth2 is being used #10531
Comments
I also noticed this "regression" when switching from 2.0.0M4 to 2.0.0M5 when not using OAuth but when using Pre Authenticated security such as SiteMinder. |
We can make the bean lazy once this is taken care of. |
I think we'd still need the bean to be lazy, so that it only logs the password if |
@rwinch @jgrandja Given that spring-projects/spring-security#4795 has been declined, can you please describe how we should achieve our goal here? |
I think the suggestion is to add
to I think it contradicts this slightly, specifically,
Since these two modes of authentication can be used together, it makes me wonder if not creating the |
@mbhave You are right it does contradict that statement. However, determining when to create a Other examples of where creating the In the end we want to ensure that the bean is not even defined if the user does not need it. Therefore, the previous approaches outlined of using |
No description provided.
The text was updated successfully, but these errors were encountered: