Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1371: LdapUserDetailsManager - createUser method should not wipe out all Authorities before bind #1614

spring-issuemaster opened this Issue Jan 15, 2010 · 2 comments


None yet
1 participant

Kenny West (Migrated from SEC-1371) said:

We have run across an issue when attempting to create a new user.

First, all authorities are wiped out for the user, THEN the bind is attempted.

If the bind fails because the user already exists, this leaves us with a user with no authorities.

Here is the code in LdapUserDetailsManager:

public void createUser(UserDetails user) {
    DirContextAdapter ctx = new DirContextAdapter();
    copyToContext(user, ctx);
    DistinguishedName dn = usernameMapper.buildDn(user.getUsername());
    // Check for any existing authorities which might be set for this DN
    GrantedAuthority[] authorities = getUserAuthorities(dn, user.getUsername());

    if (authorities.length > 0) {
        removeAuthorities(dn, authorities);

    logger.debug("Creating new user '"+ user.getUsername() + "' with DN '" + dn + "'");

    template.bind(dn, ctx, null);

    addAuthorities(dn, user.getAuthorities());

Would there be any harm in moving the removeAuthorities call after the template.bind call ?

Luke Taylor said:

The userExists() method is there to allow you to check whether an account already exists prior to attempting to create it, so you would typically use this as part of your user creation workflow.

It still makes more sense to attempt the bind first though.

Luke Taylor said:

OK, I've made the change. You should probably still delete an existing user and their authorities before creating one with the same name though.

@spring-issuemaster spring-issuemaster added this to the 3.0.2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment