SEC-1804: User is said to be immutable but eraseCredentials() remove password resulting in UserDetailsManager side effect #2036

Closed
spring-issuemaster opened this Issue Aug 25, 2011 · 2 comments

1 participant

@spring-issuemaster

Ludovic Praud (Migrated from SEC-1804) said:

Since spring-security 3.0.6 (which is released to maven repo but not marked as it in JIRA), org.springframework.security.core.userdetails.User.eraseCredentials() is called by org.springframework.security.core.AuthenticationException.AuthenticationException(String, Object) after an authentication failure.

As I use an InMemory org.springframework.security.core.userdetails.UserDetailsService implementation which retrieves a User using UserDetailsService#loadUserByUsername, the in-memory User has its password cleared on such authentication failure. So after an authentication failure, I cannot logged in anymore because the User password is null.

User class claim to be immutable but eraseCredentials() erased the password member resulting in side effects. It should really be immutable or indicated in javadoc that UserDetailsService#loadUserByUsername must return a copy of the User.

@spring-issuemaster

Ludovic Praud said:

releated to SEC-1493

@spring-issuemaster

Luke Taylor said:

Thanks for the report. I've modified the in-memor database to create a copy of the User object it returns.

@spring-issuemaster spring-issuemaster added this to the 3.0.7 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment