mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-09 03:52:48 +00:00
When the principal of the Authentication is an object, it is not necessarily an User: it could be another implementation of UserDetails, or even a completely unrelated type. Since the type of the object is serialized as a property and used by the deserialization anyway, there's no point in enforcing a stricter type.