Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-2020: Using http@authentication-manager-ref prevents authentication-manager@erase-credential from working #2245

spring-issuemaster opened this Issue Jul 30, 2012 · 1 comment


None yet
2 participants

pascal gehl (Migrated from SEC-2020) said:


<sec:http realm="sample-realm" authentication-manager-ref="sampleAuthenticationManager"
      <sec:intercept-url pattern="/sample/*" access="ROLE_ADMIN" />
      <sec:http-basic />

<sec:authentication-manager id="sampleAuthenticationManager" erase-credentials="false">
    <sec:authentication-provider ref="sampleAuthenticationProvider" />

HttpSecurityBeanDefinitionParser wraps "sampleAuthenticationManager" inside a new instance but forgets to pass the value associated to "erase-credentials".

private BeanReference createAuthenticationManager(Element element, ParserContext pc,
            ManagedList<BeanReference> authenticationProviders) {
        String parentMgrRef = element.getAttribute(ATT_AUTHENTICATION_MANAGER_REF);
        BeanDefinitionBuilder authManager = BeanDefinitionBuilder.rootBeanDefinition(ProviderManager.class);

        if (StringUtils.hasText(parentMgrRef)) {
            authManager.addConstructorArgValue(new RuntimeBeanReference(parentMgrRef));

Credentials get always erased even with erase-credentials="false" in the parent.

Rob Winch said:

Thank you for your contribution by submitting this issue with such a good description of the problem. I have pushed a fix to master.

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment