Jan 31st, 2010, 09:50 AM
Credentials stored in authentication object
Maybe I'm missing something obvious, but is there a reason that after a successful login (using the <form-login /> approach) the "credentials" from login (the user's password) and kept in clear text in the Authentication object stored in the SecurityContext?
After login, any part of my application can simply do:
This returns the plain-text password supplied at login, even if login was dozens of requests ago.
Why is this? Does that not seem somewhat insecure to anyone else?
Jan 31st, 2010, 11:53 AM
I can't explain why that is, but it would be possible to override this behavior by defining and wiring your own UserDetailsChecker to the postAuthenticationChecks property of the username-based AuthenticationProvider (the exact class names differ between spring sec 2 and 3). There's been previous discussion about various bits being stored in memory (and, for the very security conscious, stored as Strings at all - which are potentially vulnerable to memory snooping). You're welcome to file a JIRA and see what the team does with it.
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.
Jan 31st, 2010, 12:51 PM
Tags for this Thread