Announcement Announcement Module
Collapse
No announcement yet.
ProviderManager clears any sensitive credentials, anyway to clear more info? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • ProviderManager clears any sensitive credentials, anyway to clear more info?

    "By default (from Spring Security 3.1 onwards) the ProviderManager will attempt to clear any sensitive credentials information from the Authentication object which is returned by a successful authentication request. This prevents information like passwords being retained longer than necessary. " Spring Reference Docs, 7.1.1

    Trying to figure out exactly what the ProviderManager doing but it just seems like it is only clearing the password form the authentication object for the security context. Currently I am associating a user object when I am returning a token from a custom authentication provider and obviously use "User user = (new SpringSecurityUserContext().getCurrentUser());" or a SecurityUserContext class to pull up the currently authenticated user. I like how it clears out the password with a null when you pull up the user information. I would love to null out several other fields in the user that ProviderManager is not seeing as sensitive information such as the user salt, previous passwords, and etc. I have Basically done the below code to set the sensitive fields as blank or null before I return a new token in my custom authentication provider that trickles down to the User Context. My question is if this is proper or best way to do this in Spring or can you add additional fields (I would like this!) to the ProviderManager that will return null for those fields when you access the security context. I would prefer to well do everything in one place then have Spring do the password and my hack do the others? Any advice or help would be appreciated, thanks.

    Code:
           
     // Custom Authentication Provider above and this is the end
            user.setPasswordSalt(null);
            user.setSecurityAnswerOne(null);
            user.setSecurityAnswerTwo(null);
            return new DomainUsernamePasswordAuthenticationToken(user, password, authorities);
        }
    
        @Override
        public boolean supports(Class<?> authentication) {
            return DomainUsernamePasswordAuthenticationToken.class.equals(authentication);
        }
    }
Working...
X