Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1463: Users defined in XML can't login when their username contains capital #1703

spring-issuemaster opened this Issue Apr 22, 2010 · 5 comments


None yet
1 participant

Hans Desmet (Migrated from SEC-1463) said:

The following users (see reference documentation), defined in XML, can login:

When the usernames begin with a capital, those users can't login.
When submmitting the default form generated by you get an error: Your login attempt was not successful, try again. Reason: Bad credentials

When you define users in a datbase (via ) this problem doesn't occur.

Luke Taylor said:

Usernames aren't case insensitive. The code that checks this is the same - it only depends on the UserDetailsService, so it is most likely something to do with your database schema setup. If you disagree, please provide evidence that you can load an upper case name from a database and authenticate against it.

Hans Desmet said:

The problem occurs when you define the users in XML, NOT when you define them in a database.

You can see the problem with following app (STS project in attach)


UserNamesWithUperCaseLetters org.springframework.web.context.ContextLoaderListener contextConfigLocation /WEB-INF/springSecurity.xml springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy springSecurityFilterChain /* index.html


<beans:beans xmlns="http://www.springframework.org/schema/security"





When you open the webapp with your browser and you type joe as username and joe as password you see index.html
When you open the webapp with your browser and you type Jack as username and jack as password you see following error:
Your login attempt was not successful, try again.
Reason: Bad credentials

Luke Taylor said:

Ah, Ok. I thought you were saying that the lookup was case-insensitive with the database, but not with the in-memory provider. Looking at the code, it turns out that The in-memory UserDetailsService is supposed to be case insensitive (names are stored in lower case). For some reason This seems to be an issue with 3.0.x branch but not the master branch. The namespace parsing code creates a separate map without lower-case usernames. I will correct this and update the documentation to clarify that the username is case-insensitive for users.

The UserMap class should also be deprecated and the code for the in-memory UserDetailsService simplified.

Wojciech Owczarczyk said:

I think this problem still persists (tested on Spring Security 3.1.0)

@spring-issuemaster spring-issuemaster added this to the 3.0.3 milestone Feb 5, 2016

This issue is related to #1704

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment