Spring Security userCache invalidation

Question

Using Spring Security I have a DaoAuthenticationProvider described like here:

http://static.springsource.org/spring-security/site/docs/2.0.x/reference/dao-provider.html

I also have caching (also like it's described in that article).

The problem is that when a request comes in with a good username (that is already in the cache), but a bad password - it returns the user from the cache as if it is a good username/password. Because it uses the username as the key, the password is not involved at all.

The exact code that returns the user from the cache:

UserDetails user = this.userCache.getUserFromCache(username);

Did anybody ever dealt with this problem before? I can also check if the password is the same, but it would be a custom thing.

Thank you.

Boris Kirzner · Accepted Answer

If you configured your application with the standard components, the scenario should be as follows:

At user request arrival the Authentication object is created and populated with username and password supplied by user.
User details are retrieved: if it's possible, UserCache is used to retrieve previously cached user details (i.e. getUserFromCache is called either by implementations of UserDetailsService or AuthenticationProvider before the call to AuthenticationManager is performed). And it is 100% OK that the user details from cache will come with the good password.
After basic pre-authentication checks (credentials expiration etc.) the actual authentication occurs. At this point the password from cached user details is compared to the password stored in Authentication object supplied (which currently contains the wrong password). At this point authentication attempt fails.

However, if you implement your own AuthenticationProvider or AuthenticationManager, you are responsible for password checking.

Spring Security userCache invalidation

Answers (2)

Related Questions