SEC-2121: JdbcUserDetailsManager's changePassword should not populate the password #2346
Labels
in: core
An issue in spring-security-core
type: enhancement
A general enhancement
type: jira
An issue that was migrated from JIRA
Luke Taylor (Migrated from SEC-2121) said:
In order to be more consistent with the default behavior of the ProviderManager (which clears the password out) the JdbcUserDetailsManager's changePassword method should not populate the password on the Authentication set on the SecurityContextHolder.
Another option might be to populate the password conditionally (i.e. only if the credentials of the current Authentication are non-null).
The text was updated successfully, but these errors were encountered: