Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SpringSecurityPasswordValidationCallbackHandler save UserDetails [SWS-957] #1029

Closed
gregturn opened this issue Apr 27, 2016 · 4 comments
Closed

Comments

@gregturn
Copy link
Member

@gregturn gregturn commented Apr 27, 2016

Mihaita Tinta opened SWS-957 and commented

Could the UsernamePasswordAuthenticationToken saved in the SecurityContextHolder class by the SpringSecurityPasswordValidationCallbackHandler bean contain the UserDetails ?


Affects: 3.0.0.RC1

Reference URL: https://github.com/spring-projects/spring-ws/blob/master/spring-ws-security/src/main/java/org/springframework/ws/soap/security/wss4j/callback/SpringSecurityPasswordValidationCallbackHandler.java#L86

@gregturn
Copy link
Member Author

@gregturn gregturn commented Apr 27, 2016

Greg Turnquist commented

Spring WS's UsernamePasswordAuthenticationToken contains principal, an implementation of UsernameTokenPrincipal, in accordance with OASIS WS Security guidelines, along with the password and a list of authorities.

The UserDetails interface of Spring Security contains the same information + some boolean flags about state of the account.

There is little reason to support a non-standard interface when you already have the same key information being stored.

@gregturn
Copy link
Member Author

@gregturn gregturn commented Apr 27, 2016

Mihaita Tinta commented

I understand. The main reason I needed this was because the Principal is implemented by the WSUsernameTokenPrincipal class and the UserDetails was my custom domain implementation I needed across the app.

I didn't want to create the same instance of the UserDetails 3 times - 3 calls to the database

  • handleUsernameToken
  • handleUsernameTokenPrincipal
  • set the UserDetails in the MessageContext

Getting the UserDetails from the UsernamePasswordAuthenticationToken instance from the SecurityContextHolder was my initial thought. Thanks.

@gregturn
Copy link
Member Author

@gregturn gregturn commented Apr 27, 2016

Greg Turnquist commented

But SpringSecurityPasswordValidationCallbackHandler.loadUserDetails caches lookups.

	private UserDetails loadUserDetails(String username) throws DataAccessException {
		UserDetails user = userCache.getUserFromCache(username);

		if (user == null) {
			try {
				user = userDetailsService.loadUserByUsername(username);
			}
			catch (UsernameNotFoundException notFound) {
				if (logger.isDebugEnabled()) {
					logger.debug("Username '" + username + "' not found");
				}
				return null;
			}
			userCache.putUserInCache(user);
		}
		return user;
	}
@gregturn
Copy link
Member Author

@gregturn gregturn commented Apr 28, 2016

Mihaita Tinta commented

I'll replace the NullUserCache implementation and go with this. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.