SEC-1394: Credentials stored in authentication object #1637
Labels
in: core
An issue in spring-security-core
status: duplicate
A duplicate of another issue
type: bug
A general bug
type: jira
An issue that was migrated from JIRA
Comments
spring-projects-issues
added
in: core
|
This issue duplicates #1616 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Jarrod Carlson (Migrated from SEC-1394) said:
Maybe I'm missing something obvious, but is there a reason that after a successful login (using the approach) the "credentials" from login (the user's password) are kept in clear text in the Authentication object stored in the SecurityContext?
After login, any part of my application can simply do:
SecurityContextHolder.getContext().getAuthenticati on().getCredentials();This returns the plain-text password supplied at login, even if login was dozens of requests ago. Why is this? Does that not seem somewhat insecure to anyone else?
The text was updated successfully, but these errors were encountered: