Spring Security
  1. Spring Security
  2. SEC-1804

User is said to be immutable but eraseCredentials() remove password resulting in UserDetailsManager side effect

    Details

    • Type: Defect Defect
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.6
    • Fix Version/s: 3.0.7
    • Component/s: Core
    • Labels:
      None

      Description

      Since spring-security 3.0.6 (which is released to maven repo but not marked as it in JIRA), org.springframework.security.core.userdetails.User.eraseCredentials() is called by org.springframework.security.core.AuthenticationException.AuthenticationException(String, Object) after an authentication failure.

      As I use an InMemory org.springframework.security.core.userdetails.UserDetailsService implementation which retrieves a User using UserDetailsService#loadUserByUsername, the in-memory User has its password cleared on such authentication failure. So after an authentication failure, I cannot logged in anymore because the User password is null.

      User class claim to be immutable but eraseCredentials() erased the password member resulting in side effects. It should really be immutable or indicated in javadoc that UserDetailsService#loadUserByUsername must return a copy of the User.

        Activity

        Hide
        Ludovic Praud added a comment -

        releated to SEC-1493

        Show
        Ludovic Praud added a comment - releated to SEC-1493
        Hide
        Luke Taylor added a comment -

        Thanks for the report. I've modified the in-memor database to create a copy of the User object it returns.

        Show
        Luke Taylor added a comment - Thanks for the report. I've modified the in-memor database to create a copy of the User object it returns.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Ludovic Praud
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: