SEC-1065: Password is not accessible from UserDetails instance when authenticate from ldap #1316

Closed
spring-issuemaster opened this Issue Dec 21, 2008 · 3 comments

1 participant

@spring-issuemaster

Tony Dalbrekt (Migrated from SEC-1065) said:

Since our ldap doesn’t return the password when authenticating a user it is not available in the DirContextOperations instance and therefore not populated in the UserDetails instance by the LdapUserDetailsMapper#mapUserFromContext(…).
This causes the method TokenBasedRememberMeServices#retrievePassword(…) to return null since UserDetails#getPassword() returns null. The password is still available in Authentication#getCredentials() and a solution is to let the method retrievePassword(…) return the credentials if no password is found in the UserDetails instance.

Submitting a patch resolving this issue.
@spring-issuemaster

Luke Taylor said:

I’m not clear on how the autoLogin part of TokenBasedRememberMeServices is supposed to work with this patch. Since you can’t retrieve the password from your LDAP server, it won’t possible to validate the remember-me cookie when it is submitted at a later time.

@spring-issuemaster

Tony Dalbrekt said:

Aah, absolutely right. I realize that now after some more digging. Guess you can close or remove this issue. Tnx!

@spring-issuemaster

Luke Taylor said:

Ok. Closing the issue as requested. You should still be able to work with the persistent remember-me version.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment