SEC-2121: JdbcUserDetailsManager's changePassword should not populate the password #2346

spring-projects-issues · 2013-01-14T11:52:50Z

Luke Taylor (Migrated from SEC-2121) said:

In order to be more consistent with the default behavior of the ProviderManager (which clears the password out) the JdbcUserDetailsManager's changePassword method should not populate the password on the Authentication set on the SecurityContextHolder.

Another option might be to populate the password conditionally (i.e. only if the credentials of the current Authentication are non-null).

spring-projects-issues added in: core An issue in spring-security-core Open type: enhancement A general enhancement type: jira An issue that was migrated from JIRA labels Feb 5, 2016

spring-projects-issues added this to the 3.2 Backlog milestone Feb 5, 2016

rwinch modified the milestone: 3.2 Backlog Aug 15, 2016

rwinch removed the Open label May 3, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SEC-2121: JdbcUserDetailsManager's changePassword should not populate the password #2346

SEC-2121: JdbcUserDetailsManager's changePassword should not populate the password #2346

spring-projects-issues commented Jan 14, 2013

SEC-2121: JdbcUserDetailsManager's changePassword should not populate the password #2346

SEC-2121: JdbcUserDetailsManager's changePassword should not populate the password #2346

Comments

spring-projects-issues commented Jan 14, 2013