Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update comment in additionalAuthenticationChecks to clarify why our no-op implementation is ok #10140

Merged
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,10 @@ public GroupDetails loadGroupByGroupname(String groupname) throws org.acegisecur
class Authenticator extends AbstractUserDetailsAuthenticationProvider {
@Override
protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
// authentication is assumed to be done already in the retrieveUser method
// Authentication is done in the retrieveUser method. Note that this method being a no-op is only safe
// because we use Spring Security's default NullUserCache. If caching was enabled, it would be possible to
// log in as any cached user with any password unless we updated this method to check the provided
// authentication as recommended in the superclass method's documentation, so be careful reusing this code.
}

@Override
Expand Down
Loading