SEC-1742: Deprecate use of extraInformation field in AuthenticationException, making it transient and removing any sensitive data in UserDetails objects which are stored in it.

core/src/main/java/org/springframework/security/authentication/AbstractAuthenticationManager.java

@@ -77,7 +77,9 @@ public abstract class AbstractAuthenticationManager implements AuthenticationMan
      * be serialized to the client. Defaults to 'false'.
      *
      * @see org.springframework.security.core.AuthenticationException#getExtraInformation()
+     * @deprecated the {@code extraInformation} property is deprecated
      */
+    @Deprecated
     public void setClearExtraInformation(boolean clearExtraInformation) {
         this.clearExtraInformation = clearExtraInformation;
     }

core/src/main/java/org/springframework/security/authentication/AccountStatusException.java

@@ -17,6 +17,7 @@ public abstract class AccountStatusException extends AuthenticationException {
         super(msg, t);
     }
 
+    @Deprecated
     protected AccountStatusException(String msg, Object extraInformation) {
         super(msg, extraInformation);
     }

core/src/main/java/org/springframework/security/authentication/BadCredentialsException.java

@@ -36,6 +36,7 @@ public class BadCredentialsException extends AuthenticationException {
         super(msg);
     }
 
+    @Deprecated
     public BadCredentialsException(String msg, Object extraInformation) {
         super(msg, extraInformation);
     }

core/src/main/java/org/springframework/security/core/AuthenticationException.java

@@ -25,12 +25,12 @@ public abstract class AuthenticationException extends RuntimeException {
     //~ Instance fields ================================================================================================
 
     private Authentication authentication;
-    private Object extraInformation;
+    private transient Object extraInformation;
 
     //~ Constructors ===================================================================================================
 
     /**
-     * Constructs an <code>AuthenticationException</code> with the specified message and root cause.
+     * Constructs an {@code AuthenticationException} with the specified message and root cause.
      *
      * @param msg the detail message
      * @param t the root cause
@@ -40,7 +40,7 @@ public abstract class AuthenticationException extends RuntimeException {
     }
 
     /**
-     * Constructs an <code>AuthenticationException</code> with the specified message and no root cause.
+     * Constructs an {@code AuthenticationException} with the specified message and no root cause.
      *
      * @param msg the detail message
      */
@@ -48,15 +48,22 @@ public abstract class AuthenticationException extends RuntimeException {
         super(msg);
     }
 
+    /**
+     * @deprecated Use the exception message or use a custom exception if you really need additional information.
+     */
+    @Deprecated
     public AuthenticationException(String msg, Object extraInformation) {
         super(msg);
+        if (extraInformation instanceof CredentialsContainer) {
+            ((CredentialsContainer) extraInformation).eraseCredentials();
+        }
         this.extraInformation = extraInformation;
     }
 
     //~ Methods ========================================================================================================
 
     /**
-     * The authentication request which this exception corresponds to (may be <code>null</code>)
+     * The authentication request which this exception corresponds to (may be {@code null})
      */
     public Authentication getAuthentication() {
         return authentication;
@@ -67,14 +74,17 @@ public abstract class AuthenticationException extends RuntimeException {
     }
 
     /**
-     * Any additional information about the exception. Generally a <code>UserDetails</code> object.
+     * Any additional information about the exception. Generally a {@code UserDetails} object.
      *
-     * @return extra information or <code>null</code>
+     * @return extra information or {@code null}
+     * @deprecated Use the exception message or use a custom exception if you really need additional information.
      */
+    @Deprecated
     public Object getExtraInformation() {
         return extraInformation;
     }
 
+    @Deprecated
     public void clearExtraInformation() {
         this.extraInformation = null;
     }

core/src/main/java/org/springframework/security/core/userdetails/UsernameNotFoundException.java

@@ -37,19 +37,19 @@ public class UsernameNotFoundException extends AuthenticationException {
     }
 
     /**
-     * Constructs a <code>UsernameNotFoundException</code>, making use of the <tt>extraInformation</tt>
+     * Constructs a {@code UsernameNotFoundException}, making use of the {@code extraInformation}
      * property of the superclass.
      *
      * @param msg the detail message
      * @param extraInformation additional information such as the username.
      */
+    @Deprecated
     public UsernameNotFoundException(String msg, Object extraInformation) {
         super(msg, extraInformation);
     }
 
     /**
-     * Constructs a <code>UsernameNotFoundException</code> with the specified
+     * Constructs a {@code UsernameNotFoundException} with the specified message and root cause.
-     * message and root cause.
      *
      * @param msg the detail message.
      * @param t root cause