-
Jan 31st, 2010, 09:50 AM
#1
Credentials stored in authentication object
Maybe I'm missing something obvious, but is there a reason that after a successful login (using the <form-login /> approach) the "credentials" from login (the user's password) and kept in clear text in the Authentication object stored in the SecurityContext?
After login, any part of my application can simply do:
SecurityContextHolder.getContext().getAuthenticati on().getCredentials();
This returns the plain-text password supplied at login, even if login was dozens of requests ago.
Why is this? Does that not seem somewhat insecure to anyone else?
-
Jan 31st, 2010, 11:53 AM
#2
I can't explain why that is, but it would be possible to override this behavior by defining and wiring your own UserDetailsChecker to the postAuthenticationChecks property of the username-based AuthenticationProvider (the exact class names differ between spring sec 2 and 3). There's been previous discussion about various bits being stored in memory (and, for the very security conscious, stored as Strings at all - which are potentially vulnerable to memory snooping). You're welcome to file a JIRA and see what the team does with it.
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.
-
Jan 31st, 2010, 12:51 PM
#3
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
