Announcement Announcement Module
No announcement yet.
Credentials stored in authentication object Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Credentials stored in authentication object

    Maybe I'm missing something obvious, but is there a reason that after a successful login (using the <form-login /> approach) the "credentials" from login (the user's password) and kept in clear text in the Authentication object stored in the SecurityContext?

    After login, any part of my application can simply do:

    SecurityContextHolder.getContext().getAuthenticati on().getCredentials();

    This returns the plain-text password supplied at login, even if login was dozens of requests ago.

    Why is this? Does that not seem somewhat insecure to anyone else?

  • #2
    I can't explain why that is, but it would be possible to override this behavior by defining and wiring your own UserDetailsChecker to the postAuthenticationChecks property of the username-based AuthenticationProvider (the exact class names differ between spring sec 2 and 3). There's been previous discussion about various bits being stored in memory (and, for the very security conscious, stored as Strings at all - which are potentially vulnerable to memory snooping). You're welcome to file a JIRA and see what the team does with it.


    • #3