Ludovic Praud (Migrated from SEC-1804) said:
Since spring-security 3.0.6 (which is released to maven repo but not marked as it in JIRA), org.springframework.security.core.userdetails.User.eraseCredentials() is called by org.springframework.security.core.AuthenticationException.AuthenticationException(String, Object) after an authentication failure.
As I use an InMemory org.springframework.security.core.userdetails.UserDetailsService implementation which retrieves a User using UserDetailsService#loadUserByUsername, the in-memory User has its password cleared on such authentication failure. So after an authentication failure, I cannot logged in anymore because the User password is null.
User class claim to be immutable but eraseCredentials() erased the password member resulting in side effects. It should really be immutable or indicated in javadoc that UserDetailsService#loadUserByUsername must return a copy of the User.
Ludovic Praud said:
releated to SEC-1493
Luke Taylor said:
Thanks for the report. I've modified the in-memor database to create a copy of the User object it returns.