Is it safe to store a password in the SecurityContext in a custom Authentication implementation?
Question
I have created a custom AuthenticationProvider , so I have to return an Authentication implementation with the username and password of the user (for example UsernamePasswordAuthenticationToken or a custom implementation). This instance of the Authentication implementation will be stored in the SecurityContext . Is this a good practice? Is the password safetly stored? Thanks!
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Autowired
private SSOClient ssoClient;
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
String id = authentication.getName();
String password = authentication.getCredentials().toString();
ssoClient.login(id, password);
return new CustomAuthenticationToken(id, password);
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
1 answers
solution1
1 2016-09-14 19:38:44
I think its not safe to store password in security conext as the security context is accessible across the application. i recommend we use the password from the UsernamePasswordAuthenticationToken to authenticate and get rid of it.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.