Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1804: User is said to be immutable but eraseCredentials() remove password resulting in UserDetailsManager side effect #2036

spring-issuemaster opened this Issue Aug 25, 2011 · 2 comments


None yet
1 participant

Ludovic Praud (Migrated from SEC-1804) said:

Since spring-security 3.0.6 (which is released to maven repo but not marked as it in JIRA), org.springframework.security.core.userdetails.User.eraseCredentials() is called by org.springframework.security.core.AuthenticationException.AuthenticationException(String, Object) after an authentication failure.

As I use an InMemory org.springframework.security.core.userdetails.UserDetailsService implementation which retrieves a User using UserDetailsService#loadUserByUsername, the in-memory User has its password cleared on such authentication failure. So after an authentication failure, I cannot logged in anymore because the User password is null.

User class claim to be immutable but eraseCredentials() erased the password member resulting in side effects. It should really be immutable or indicated in javadoc that UserDetailsService#loadUserByUsername must return a copy of the User.

Ludovic Praud said:

releated to SEC-1493

Luke Taylor said:

Thanks for the report. I've modified the in-memor database to create a copy of the User object it returns.

@spring-issuemaster spring-issuemaster added this to the 3.0.7 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment