Spring Security
  1. Spring Security
  2. SEC-1493

Add support for erasing credentials after authentication

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.0.3, 3.1.0.M1
    • Component/s: Core
    • Labels:
      None

      Description

      It should be possible to configure the AuthenticationManager to erase sensitive data (credentials) contained in Authentication objects and implementations of UserDetails. By making these implement a known interface (e.g. CredentialsContainer), the AuthenticationManager could invoke an "eraseCredentials" method to remove credentials data which is not required after authentication. This should be the default behaviour in 3.1 and optional in 3.0.3.

      Users should be aware that this could cause problems with situations where a user cache is used. It will also not work if the user's credentials are required to be automatically propagated with RMI, for example.

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          Implemented as described above. User, AbstractAuthenticationToken and UsernamePasswordAuthenticationToken now implement CredentialsContainer and ProviderManager checks the returned Authentication object to see if it supoprts the interface. The namespace also has an erase-credentials attribute, which sets the "eraseCredentialsAfterAuthentication" property on the ProviderManager. Support is disabled by default on the 3.0.x branch and enabled on master (for 3.1).

          Show
          Luke Taylor added a comment - Implemented as described above. User, AbstractAuthenticationToken and UsernamePasswordAuthenticationToken now implement CredentialsContainer and ProviderManager checks the returned Authentication object to see if it supoprts the interface. The namespace also has an erase-credentials attribute, which sets the "eraseCredentialsAfterAuthentication" property on the ProviderManager. Support is disabled by default on the 3.0.x branch and enabled on master (for 3.1).
          Hide
          Mark Liu added a comment -

          Hi Luke, I just tried using 3.1.1 snapshot. Disabling the attribute in the namespace config authentication-manager does not appear to propagate to the child providermanager. So the credential is still eventually erased. currently I have just one auth provider. Thanks.

          Show
          Mark Liu added a comment - Hi Luke, I just tried using 3.1.1 snapshot. Disabling the attribute in the namespace config authentication-manager does not appear to propagate to the child providermanager. So the credential is still eventually erased. currently I have just one auth provider. Thanks.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Luke Taylor
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: