Skip to content

kmartin88/demo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

This project has the purpose to demonstrate how disabling the credentials erasure in an AuthenticationManager is not working.

There is a controller with one GET method which returns the password of the authenticated user. If there is no password in the Authentication object, it returns "no credentials" instead.

Two test classes doing the same test (checking if the returned string from the controller is the password of the given user) but using different SecurityConfigurations:

WorkingSecurityConfig autowires the AuthenticationManagerBuilder and sets eraseCredentials to false. NotWorkingSecurityConfig creates an AuthenticationManagerBean which is a ProviderManager with eraseCredentialsAfterAuthentication set to false.

Both versions can be found in the official Spring Security documentation: https://docs.spring.io/spring-security/reference/6.2/servlet/authentication/passwords/index.html#customize-global-authentication-manager (also correct for the current version https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/index.html#customize-global-authentication-manager but as this link might point to another version of the documentation in the future I prefer to refer to the one with a version in the URL).

Both tests should pass, but the one with NotWorkingSecurityConfig is failing because the credentials get erased after authentication.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages