Juan Pablo Santos (Migrated from SEC-1154) said:
the createSuccessfulAuthentication(UsernamePasswordAuthenticationToken auth, UserDetails user) method from LdapAuthenticationProvider returns a new UsernamePasswordAuthenticationToken based on auth's password, depending on useAuthenticationRequestCredentials boolean.
In the case this happens, shouldn't the returned object also include auth.getDetails()? I.e., something like:
protected Authentication createSuccessfulAuthentication(UsernamePasswordAuthenticationToken authentication, UserDetails user)
Object password = useAuthenticationRequestCredentials ? authentication.getCredentials() : ((Object) (user.getPassword()));
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user, password, user.getAuthorities());
return new UsernamePasswordAuthenticationToken(user, password, user.getAuthorities());
(as part of our current project, we are building a custom authenticationProvider which extends LdapAuthenticationProvider, and we expected this behaviour. Not very sure this should be marked as bug or as an improvement, though)
Luke Taylor said:
Closing as a duplicate of SEC-1084.
Juan Pablo Santos said:
ouch, didn't find 1084 :-s thanks anyway
This issue duplicates #1335