SEC-2468: JdbcUserDetailsManager#createNewAuthentication uses null credentials

core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java

@@ -221,7 +221,7 @@ public class JdbcUserDetailsManager extends JdbcDaoImpl implements UserDetailsMa
         UserDetails user = loadUserByUsername(currentAuth.getName());
 
         UsernamePasswordAuthenticationToken newAuthentication =
-                new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());
+                new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
         newAuthentication.setDetails(currentAuth.getDetails());
 
         return newAuthentication;

core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java

@@ -2,6 +2,7 @@ package org.springframework.security.provisioning;
 
 import static org.junit.Assert.*;
 import static org.mockito.Mockito.*;
+import static org.fest.assertions.Assertions.assertThat;
 
 import java.util.Collections;
 import java.util.HashMap;
@@ -302,6 +303,15 @@ public class JdbcUserDetailsManagerTests {
         assertEquals(0, template.queryForList(SELECT_JOE_AUTHORITIES_SQL).size());
     }
 
+    // SEC-2166
+    @Test
+    public void createNewAuthenticationUsesNullPasswordToKeepPassordsSave() {
+        insertJoe();
+        UsernamePasswordAuthenticationToken currentAuth = new UsernamePasswordAuthenticationToken("joe",null, AuthorityUtils.createAuthorityList("ROLE_USER"));
+        Authentication updatedAuth = manager.createNewAuthentication(currentAuth, "new");
+        assertThat(updatedAuth.getCredentials()).isNull();
+    }
+
     private Authentication authenticateJoe() {
         UsernamePasswordAuthenticationToken auth =
                 new UsernamePasswordAuthenticationToken("joe","password", joe.getAuthorities());