SEC-2468: JdbcUserDetailsManager#createNewAuthentication uses null credentials

2025-06-25 13:32:30 +00:00 · 2014-02-14 16:51:54 -06:00 · 2014-02-14 16:51:54 -06:00 · ac6cf5396a
commit ac6cf5396a
parent 5a2e99c940
2 changed files with 11 additions and 2 deletions
--- a/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java
+++ b/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java
@ -221,7 +221,7 @@ public class JdbcUserDetailsManager extends JdbcDaoImpl implements UserDetailsMa
        UserDetails user = loadUserByUsername(currentAuth.getName());

        UsernamePasswordAuthenticationToken newAuthentication =
-                new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());
+                new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
        newAuthentication.setDetails(currentAuth.getDetails());

        return newAuthentication;
--- a/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java
+++ b/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java
@ -168,7 +168,7 @@ public class JdbcUserDetailsManagerTests {
        Authentication newAuth = SecurityContextHolder.getContext().getAuthentication();
        assertEquals("joe", newAuth.getName());
        assertEquals(currentAuth.getDetails(), newAuth.getDetails());
-        assertEquals("newPassword", newAuth.getCredentials());
+        assertNull(newAuth.getCredentials());
        assertFalse(cache.getUserMap().containsKey("joe"));
    }

@ -302,6 +302,15 @@ public class JdbcUserDetailsManagerTests {
        assertEquals(0, template.queryForList(SELECT_JOE_AUTHORITIES_SQL).size());
    }

+    // SEC-2166
+    @Test
+    public void createNewAuthenticationUsesNullPasswordToKeepPassordsSave() {
+        insertJoe();
+        UsernamePasswordAuthenticationToken currentAuth = new UsernamePasswordAuthenticationToken("joe",null, AuthorityUtils.createAuthorityList("ROLE_USER"));
+        Authentication updatedAuth = manager.createNewAuthentication(currentAuth, "new");
+        assertNull(updatedAuth.getCredentials());
+    }
+
    private Authentication authenticateJoe() {
        UsernamePasswordAuthenticationToken auth =
                new UsernamePasswordAuthenticationToken("joe","password", joe.getAuthorities());