SEC-30: Authentication to extend Credentials #295
Comments
|
Ben Alex said: Whilst there are explanatory advantages in differentiating between an Authentication request and a populated Authentication object, there are no technical advantages in doing so that I can identify. I have investigated implementing this change and it would cause significant changes throughout many classes, and create backward compatibility issues for the commonly-implemented AuthenticationProvider interface. There are some issues in particular related to needing to cast (and assuming the SecurityContextHolder contains a particular type of Authentication vs AuthenticationRequest at a particular time) and also with RMI propagation of the SecurityContext. These issues are more likely to lead to bugs or configuration issues/confusion for users, and given there is no technical advantage in this change I suggest we don’t make it. |
spring-projects-issues
added
in: core
and others
Ben Alex(Migrated from SEC-30) said:
As per discussion with Keith, refactor AuthenticationManager/Provider to have a public Authentication authenticate(Credentials).
Then, have Credentials hold the getPrincipal() and getCredentials() methods, with Authentication extending Credentials with the remaining methods.
The text was updated successfully, but these errors were encountered: