SEC-1154: LdapAuthenticationProvider.createSuccessfulAuthentication() returned object should include authentication.getDetails() if using useAuthenticationRequestCredentials #1406

spring-issuemaster opened this Issue May 5, 2009 · 3 comments


None yet
1 participant

Juan Pablo Santos (Migrated from SEC-1154) said:

the createSuccessfulAuthentication(UsernamePasswordAuthenticationToken auth, UserDetails user) method from LdapAuthenticationProvider returns a new UsernamePasswordAuthenticationToken based on auth's password, depending on useAuthenticationRequestCredentials boolean.

In the case this happens, shouldn't the returned object also include auth.getDetails()? I.e., something like:

protected Authentication createSuccessfulAuthentication(UsernamePasswordAuthenticationToken authentication, UserDetails user)
Object password = useAuthenticationRequestCredentials ? authentication.getCredentials() : ((Object) (user.getPassword()));
if (useAuthenticationRequestCredentials)
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user, password, user.getAuthorities());
return token;
return new UsernamePasswordAuthenticationToken(user, password, user.getAuthorities());

(as part of our current project, we are building a custom authenticationProvider which extends LdapAuthenticationProvider, and we expected this behaviour. Not very sure this should be marked as bug or as an improvement, though)

Luke Taylor said:

Closing as a duplicate of SEC-1084.

Juan Pablo Santos said:

ouch, didn't find 1084 :-s thanks anyway

spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016

This issue duplicates #1335

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment