Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1954: DaoAuthenticationProvider.retrieveUser should not be final #2180

spring-issuemaster opened this Issue Apr 26, 2012 · 2 comments


None yet
2 participants

Andy O'Neill (Migrated from SEC-1954) said:

Javadocs claim that this method is protected, but it is actually protected final. This is also in contradiction with the javadoc comment:
"Allows subclasses to actually retrieve the UserDetails from an implementation-specific location, with the option of throwing an AuthenticationException immediately if the presented credentials are incorrect (this is especially useful if it is necessary to bind to a resource as the user in order to obtain or generate a UserDetails)."


Luke Taylor said:

The Javadoc says:

"Description copied from class: AbstractUserDetailsAuthenticationProvider"

so it refers to the base class. You should extend that class if you want to provide a custom implementation.

Rob Winch said:

As Luke mentioned, this indicates the documentation is from the superclass

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment