SEC-2012: Javadoc for UserDetails.getPassword() says that the password is never null; however it may be #2238

Closed
spring-issuemaster opened this Issue Jul 19, 2012 · 2 comments

2 participants

@spring-issuemaster

Mauro Molinari (Migrated from SEC-2012) said:

The Javadoc for org.springframework.security.core.userdetails.UserDetails.getPassword() says:

Returns the password used to authenticate the user. Cannot return null.

Returns:
the password (never null)

However, if the concrete implementation of UserDetails also implements org.springframework.security.core.CredentialsContainer (and this is the case for org.springframework.security.core.userdetails.User, for instance), then the password may actually be null if the credentials have been deleted by a call to org.springframework.security.core.CredentialsContainer.eraseCredentials(). See org.springframework.security.core.userdetails.User.eraseCredentials(), for instance.

@spring-issuemaster

Mauro Molinari said:

Thank you Rob, but please note that you left out the part of the Javadoc that says "Cannot return null.".

@spring-issuemaster

Rob Winch said:

It should be updated in master

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment