SEC-1804: Update InMemoryDaoImpl to use User class directly and create a copy. Otherwise credentials are cleared on cached user instances.

core/src/main/java/org/springframework/security/core/userdetails/memory/InMemoryDaoImpl.java

@@ -53,8 +53,7 @@ public class InMemoryDaoImpl implements UserDetailsService, InitializingBean {
         return userMap;
     }
 
-    public UserDetails loadUserByUsername(String username)
-        throws UsernameNotFoundException, DataAccessException {
+    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
         return userMap.getUser(username);
     }
 

core/src/main/java/org/springframework/security/core/userdetails/memory/UserMap.java

@@ -18,6 +18,7 @@ package org.springframework.security.core.userdetails.memory;
 import java.util.HashMap;
 import java.util.Map;
 
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.apache.commons.logging.Log;
@@ -39,7 +40,7 @@ public class UserMap {
 
     //~ Instance fields ================================================================================================
 
-    private Map<String, UserDetails> userMap = new HashMap<String, UserDetails>();
+    private Map<String, User> userMap = new HashMap<String, User>();
 
     //~ Methods ========================================================================================================
 
@@ -50,7 +51,7 @@ public class UserMap {
      *
      * @throws IllegalArgumentException if a null User was passed
      */
-    public void addUser(UserDetails user) throws IllegalArgumentException {
+    public void addUser(User user) throws IllegalArgumentException {
         Assert.notNull(user, "Must be a valid User");
 
         logger.info("Adding user [" + user + "]");
@@ -66,14 +67,15 @@ public class UserMap {
      *
      * @throws UsernameNotFoundException if the user could not be found
      */
-    public UserDetails getUser(String username) throws UsernameNotFoundException {
-        UserDetails result = this.userMap.get(username.toLowerCase());
+    public User getUser(String username) throws UsernameNotFoundException {
+        User result = this.userMap.get(username.toLowerCase());
 
         if (result == null) {
             throw new UsernameNotFoundException("Could not find user: " + username, username);
         }
 
-        return result;
+        return new User(result.getUsername(), result.getPassword(), result.isEnabled(), result.isAccountNonExpired(),
+                result.isCredentialsNonExpired(), result.isAccountNonLocked(), result.getAuthorities());
     }
 
     /**
@@ -88,10 +90,10 @@ public class UserMap {
     /**
      * Set the users in this {@link UserMap}. Overrides previously added users.
      *
-     * @param users {@link Map} &lt;{@link String}, {@link UserDetails}> with pairs (username, userdetails)
+     * @param users {@link Map} &lt;{@link String}, {@link User}> with pairs (username, userdetails)
      * @since 1.1
      */
-    public void setUsers(Map<String, UserDetails> users) {
+    public void setUsers(Map<String, User> users) {
         this.userMap = users;
     }
 }

core/src/main/java/org/springframework/security/core/userdetails/memory/UserMapEditor.java

@@ -60,9 +60,8 @@ public class UserMapEditor extends PropertyEditorSupport {
 
             // Make a user object, assuming the properties were properly provided
             if (attr != null) {
-                UserDetails user = new User(username, attr.getPassword(), attr.isEnabled(), true, true, true,
-                        attr.getAuthorities());
-                userMap.addUser(user);
+                userMap.addUser(new User(username, attr.getPassword(), attr.isEnabled(), true, true, true,
+                        attr.getAuthorities()));
             }
         }
 

core/src/test/java/org/springframework/security/core/userdetails/memory/UserMapTests.java

@@ -34,11 +34,11 @@ public class UserMapTests {
 
     @Test
     public void testAddAndRetrieveUser() {
-        UserDetails rod = new User("rod", "koala", true, true, true, true,
+        User rod = new User("rod", "koala", true, true, true, true,
                 AuthorityUtils.createAuthorityList("ROLE_ONE","ROLE_TWO"));
-        UserDetails scott = new User("scott", "wombat", true, true, true, true,
+        User scott = new User("scott", "wombat", true, true, true, true,
                 AuthorityUtils.createAuthorityList("ROLE_ONE","ROLE_THREE"));
-        UserDetails peter = new User("peter", "opal", true, true, true, true,
+        User peter = new User("peter", "opal", true, true, true, true,
                 AuthorityUtils.createAuthorityList("ROLE_ONE","ROLE_FOUR"));
         UserMap map = new UserMap();
         map.addUser(rod);
@@ -66,7 +66,7 @@ public class UserMapTests {
 
     @Test
     public void unknownUserIsNotRetrieved() {
-        UserDetails rod = new User("rod", "koala", true, true, true, true,
+        User rod = new User("rod", "koala", true, true, true, true,
                 AuthorityUtils.createAuthorityList("ROLE_ONE","ROLE_TWO"));
         UserMap map = new UserMap();
         assertEquals(0, map.getUserCount());