Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-2012: Javadoc for UserDetails.getPassword() says that the password is never null; however it may be #2238

spring-issuemaster opened this Issue Jul 19, 2012 · 2 comments


None yet
2 participants

Mauro Molinari (Migrated from SEC-2012) said:

The Javadoc for org.springframework.security.core.userdetails.UserDetails.getPassword() says:

Returns the password used to authenticate the user. Cannot return null.

the password (never null)

However, if the concrete implementation of UserDetails also implements org.springframework.security.core.CredentialsContainer (and this is the case for org.springframework.security.core.userdetails.User, for instance), then the password may actually be null if the credentials have been deleted by a call to org.springframework.security.core.CredentialsContainer.eraseCredentials(). See org.springframework.security.core.userdetails.User.eraseCredentials(), for instance.

Mauro Molinari said:

Thank you Rob, but please note that you left out the part of the Javadoc that says "Cannot return null.".

Rob Winch said:

It should be updated in master

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment