Announcement Announcement Module
No announcement yet.
UserDetails.getPassword Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • UserDetails.getPassword

    Please pardon me if the question is really stupid, but just out of need I do not want to store user password in the session-wide available userdetails implementation object.

    java.lang.String getPassword()
    Returns the password used to authenticate the user. Cannot return null.

    Why spring-security demands password once user is authenticated?

  • #2
    It's not a general requirement - more a legacy of the original development which gave equal priority to remote and web clients and authenticated repeatedly against a cache of user objects. There are plans to add in support (in 3.1) for the AuthenticationManager to erase credentials data after authentication.

    It is also trivial to customise your AuthenticationProvider to return an object which only contains the data you require.


    • #3

      Thanks Luke for explaining. I am fairly new to spring-sec and was evaluating whether its suitable for my next project.

      So can my UserDetails implementation throw an exception or any predefined string when an attempt to retrieve password is made using getPassword()?

      I want to authenticate user using various mechanism like google/yahoo/facebook /LDAP auth and load its authorities from local database. After this I do not want any app-code to be able to retrieve the password that was used for authentication.

      What all classes/interfaces I need to code/implement in order to achieve this. Can anyone please suggest some further reading for above requirements?


      • #4

        Hi Kedi,

        For customization, you have to implement 'UserDetails' interface and create your own class, having customized getPassword() method.

        Hope it helps.



        • #5
          request u to please paste the code.
          i m trying to get password from login to jsp in loadUserByName method.


          • #6
            For google, yahoo etc, you should be using OpenID (or some other protocol where you authenticate directly to the provider). Your application will never see the password.