SEC-1493: Add support for erasing credentials after authentication #1733
Comments
|
Luke Taylor said: Implemented as described above. User, AbstractAuthenticationToken and UsernamePasswordAuthenticationToken now implement CredentialsContainer and ProviderManager checks the returned Authentication object to see if it supoprts the interface. The namespace also has an erase-credentials attribute, which sets the "eraseCredentialsAfterAuthentication" property on the ProviderManager. Support is disabled by default on the 3.0.x branch and enabled on master (for 3.1). |
|
Mark Liu said: Hi Luke, I just tried using 3.1.1 snapshot. Disabling the attribute in the namespace config authentication-manager does not appear to propagate to the child providermanager. So the credential is still eventually erased. currently I have just one auth provider. Thanks. |
spring-projects-issues
added
in: core
Luke Taylor (Migrated from SEC-1493) said:
It should be possible to configure the AuthenticationManager to erase sensitive data (credentials) contained in Authentication objects and implementations of UserDetails. By making these implement a known interface (e.g. CredentialsContainer), the AuthenticationManager could invoke an "eraseCredentials" method to remove credentials data which is not required after authentication. This should be the default behaviour in 3.1 and optional in 3.0.3.
Users should be aware that this could cause problems with situations where a user cache is used. It will also not work if the user's credentials are required to be automatically propagated with RMI, for example.
The text was updated successfully, but these errors were encountered: