Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Document the role of CredentialsContainer 

Closes gh-15319
This commit is contained in:
Marcus Hert Da Coregio 2024-06-28 15:33:34 -03:00
parent 1135ad5a5a
commit 779030b6cd
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/modules/ROOT/nav.adoc
View File

@ -44,6 +44,7 @@
***** xref:servlet/authentication/passwords/in-memory.adoc[In Memory]
***** xref:servlet/authentication/passwords/jdbc.adoc[JDBC]
***** xref:servlet/authentication/passwords/user-details.adoc[UserDetails]
***** xref:servlet/authentication/passwords/credentials-container.adoc[CredentialsContainer]
***** xref:servlet/authentication/passwords/user-details-service.adoc[UserDetailsService]
***** xref:servlet/authentication/passwords/password-encoder.adoc[PasswordEncoder]
***** xref:servlet/authentication/passwords/dao-authentication-provider.adoc[DaoAuthenticationProvider]

12
docs/modules/ROOT/pages/servlet/authentication/passwords/credentials-container.adoc Normal file
View File

@ -0,0 +1,12 @@
[[servlet-authentication-credentialscontainer]]
= CredentialsContainer
{security-api-url}org/springframework/security/core/CredentialsContainer.html[The `CredentialsContainer`] interface indicates that the implementing object contains sensitive data, and is used internally by Spring Security to erase the authentication credentials after a successful authentication.
This interface is implemented by most of Spring Security internal domain classes, like {security-api-url}org/springframework/security/core/userdetails/User.html[User] and {security-api-url}org/springframework/security/authentication/UsernamePasswordAuthenticationToken.html[UsernamePasswordAuthenticationToken].
The `ProviderManager` manager checks whether the returned `Authentication` implements this interface.
If so, xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager-erasing-credentials[it calls the `eraseCredentials` method] to remove the credentials from the object.
If you want your custom authentication objects to have their credentials erased after authentication, you should ensure that the classes implement the `CredentialsContainer` interface.
Users who are writing their own `AuthenticationProvider` implementations should create and return an appropriate `Authentication` object there, minus any sensitive data, rather than using this interface.