SEC-1538: Reduce number of pre-authenticated AuthenticationDetails implementations #1780

Closed
spring-issuemaster opened this Issue Aug 12, 2010 · 3 comments

1 participant

@spring-issuemaster

Luke Taylor (Migrated from SEC-1538) said:

I don't believe we need PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails and PreAuthenticatedGrantedAuthoritiesAuthenticationDetails. If they are used at all it is a minority of situations where a custom implementation should be used. Pre-authentication is part of the web module and assumes a dependency on the servlet API, so these extra implementations seem largely redundant.

@spring-issuemaster

Luke Taylor said:

Most of the non-web classes seem to be there only to prop-up the WebSphere2SpringSecurityPropagationInterceptor class (which has somehow slipped into the web module). Rather than remove this immediately, I've deprecated it, along with the supporting classes. Setting up a security context for use by a bean shouldn't be something that is only available for websphere and it has wider applicability (for example setting up the invocation of an external service with a particular set of credentials). There is also an overlap with the concept of a "run-as" user.

@spring-issuemaster

Luke Taylor said:

See SEC-1539 for planned replacement of WebSphere2SpringSecurityPropagationInterceptor.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
@spring-issuemaster

This issue is related to #1781

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment