SEC-1804: Updated Javadoc wrt immutability of User class.

This commit is contained in:
Luke Taylor 2011-08-25 10:50:50 +01:00
parent 799a43d72e
commit 102027a44c
2 changed files with 6 additions and 11 deletions

View File

@ -31,7 +31,6 @@ import org.springframework.util.Assert;
/** /**
* Models core user information retrieved by a {@link UserDetailsService}. * Models core user information retrieved by a {@link UserDetailsService}.
* <p> * <p>
* Implemented with value object semantics (immutable after construction, like a <code>String</code>).
* Developers may use this class directly, subclass it, or write their own {@link UserDetails} implementation from * Developers may use this class directly, subclass it, or write their own {@link UserDetails} implementation from
* scratch. * scratch.
* <p> * <p>
@ -39,6 +38,11 @@ import org.springframework.util.Assert;
* intention is that lookups of the same user principal object (in a user registry, for example) will match * intention is that lookups of the same user principal object (in a user registry, for example) will match
* where the objects represent the same user, not just when all the properties (authorities, password for * where the objects represent the same user, not just when all the properties (authorities, password for
* example) are the same. * example) are the same.
* <p>
* Note that this implementation is not immutable. It implements the {@code CredentialsContainer} interface, in order
* to allow the password to be erased after authentication. This may cause side-effects if you are storing instances
* in-memory and reusing them. If so, make sure you return a copy from your {@code UserDetailsService} each time it is
* invoked.
* *
* @author Ben Alex * @author Ben Alex
* @author Luke Taylor * @author Luke Taylor

View File

@ -35,16 +35,7 @@ import java.util.Collection;
* Concrete implementations must take particular care to ensure the non-null * Concrete implementations must take particular care to ensure the non-null
* contract detailed for each method is enforced. See * contract detailed for each method is enforced. See
* {@link org.springframework.security.core.userdetails.User} for a * {@link org.springframework.security.core.userdetails.User} for a
* reference implementation (which you might like to extend). * reference implementation (which you might like to extend or use in your code).
* <p>
* Concrete implementations should be preferably be immutable &ndash; they should
* have value object semantics, like a String. The <code>UserDetails</code> may be
* stored in a cache and multiple threads may use the same instance. Immutable
* objects are more robust and are guaranteed to be thread-safe. This is not strictly
* essential (there's nothing within Spring Security itself which absolutely requires it),
* but if your <tt>UserDetails</tt> object <em>can</em> be modified then it's up to you to make
* sure that you do so safely and that you manage any caches which may contain copies of
* the object.
* *
* @see UserDetailsService * @see UserDetailsService
* @see UserCache * @see UserCache