I have created a custom AuthenticationProvider
, so I have to return an Authentication
implementation with the username and password of the user (for example UsernamePasswordAuthenticationToken
or a custom implementation). This instance of the Authentication
implementation will be stored in the SecurityContext
. Is this a good practice? Is the password safetly stored? Thanks!
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Autowired
private SSOClient ssoClient;
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
String id = authentication.getName();
String password = authentication.getCredentials().toString();
ssoClient.login(id, password);
return new CustomAuthenticationToken(id, password);
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
I think its not safe to store password in security conext as the security context is accessible across the application. i recommend we use the password from the UsernamePasswordAuthenticationToken to authenticate and get rid of it.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.