I implemented what someone described on (stackoverflow):
I am using my own implementation of the UserDetailsService interface to load a User object from the Database and place it as UserDetail into my SecurityContext. The User object is then a detached Hibernate object.
When I want to access lazy load relations of the authenticated User I need to get it from the SecurityContext and attach it again to the Hibernate session by loading through its ID or merge.
The problem is: Merging the User for initializing lazy-loaded items using just <authentication-manager alias="authenticationManager"> results in Hibernate updating the user password to null (as eraseCredentials() was called after login).
What is the Best practice approach to deal with this problem? What would you do? Some alternatives are
- disable erasing password
- remove the user.setPassword(null); from eraseCredentials() in custom UserDetails
- change the User Entity to not contain the password (maybe use some Authentication Entity instead which contains the password and references the User)
- do not store the User in User Details but just some value to identify him
- use always some special JPQL query to retrieve lazy-loaded items or update the user