Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1065: Password is not accessible from UserDetails instance when authenticate from ldap #1316

spring-issuemaster opened this Issue Dec 21, 2008 · 3 comments


None yet
1 participant

Tony Dalbrekt(Migrated from SEC-1065) said:

Since our ldap doesn’t return the password when authenticating a user it is not available in the DirContextOperations instance and therefore not populated in the UserDetails instance by the LdapUserDetailsMapper#mapUserFromContext(…).
This causes the method TokenBasedRememberMeServices#retrievePassword(…) to return null since UserDetails#getPassword() returns null. The password is still available in Authentication#getCredentials() and a solution is to let the method retrievePassword(…) return the credentials if no password is found in the UserDetails instance.

Submitting a patch resolving this issue.

Luke Taylor said:

I’m not clear on how the autoLogin part of TokenBasedRememberMeServices is supposed to work with this patch. Since you can’t retrieve the password from your LDAP server, it won’t possible to validate the remember-me cookie when it is submitted at a later time.

Tony Dalbrekt said:

Aah, absolutely right. I realize that now after some more digging. Guess you can close or remove this issue. Tnx!

Luke Taylor said:

Ok. Closing the issue as requested. You should still be able to work with the persistent remember-me version.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment