Spring Security
  1. Spring Security
  2. SEC-1065

Password is not accessible from UserDetails instance when authenticate from ldap

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Invalid
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core, LDAP
    • Labels:
      None

      Description

      Since our ldap doesn't return the password when authenticating a user it is not available in the DirContextOperations instance and therefore not populated in the UserDetails instance by the LdapUserDetailsMapper#mapUserFromContext(...).
      This causes the method TokenBasedRememberMeServices#retrievePassword(...) to return null since UserDetails#getPassword() returns null. The password is still available in Authentication#getCredentials() and a solution is to let the method retrievePassword(...) return the credentials if no password is found in the UserDetails instance.

      Submitting a patch resolving this issue.

        Activity

        Hide
        Luke Taylor added a comment -

        I'm not clear on how the autoLogin part of TokenBasedRememberMeServices is supposed to work with this patch. Since you can't retrieve the password from your LDAP server, it won't possible to validate the remember-me cookie when it is submitted at a later time.

        Show
        Luke Taylor added a comment - I'm not clear on how the autoLogin part of TokenBasedRememberMeServices is supposed to work with this patch. Since you can't retrieve the password from your LDAP server, it won't possible to validate the remember-me cookie when it is submitted at a later time.
        Hide
        Tony Dalbrekt added a comment -

        Aah, absolutely right. I realize that now after some more digging. Guess you can close or remove this issue. Tnx!

        Show
        Tony Dalbrekt added a comment - Aah, absolutely right. I realize that now after some more digging. Guess you can close or remove this issue. Tnx!
        Hide
        Luke Taylor added a comment -

        Ok. Closing the issue as requested. You should still be able to work with the persistent remember-me version.

        Show
        Luke Taylor added a comment - Ok. Closing the issue as requested. You should still be able to work with the persistent remember-me version.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Tony Dalbrekt
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: