11 жил өмнө · ac6cf5396a
--- a/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java
+++ b/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java
@@ -221,7 +221,7 @@ public class JdbcUserDetailsManager extends JdbcDaoImpl implements UserDetailsMa
 
															         UserDetails user = loadUserByUsername(currentAuth.getName());
														
 
															         UsernamePasswordAuthenticationToken newAuthentication =
														
 
															-                new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());
														
 
															+                new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
														
 
															         newAuthentication.setDetails(currentAuth.getDetails());
														
 
															         return newAuthentication;
														
--- a/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java
+++ b/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java
@@ -168,7 +168,7 @@ public class JdbcUserDetailsManagerTests {
 
															         Authentication newAuth = SecurityContextHolder.getContext().getAuthentication();
														
 
															         assertEquals("joe", newAuth.getName());
														
 
															         assertEquals(currentAuth.getDetails(), newAuth.getDetails());
														
 
															-        assertEquals("newPassword", newAuth.getCredentials());
														
 
															+        assertNull(newAuth.getCredentials());
														
 
															         assertFalse(cache.getUserMap().containsKey("joe"));
														
 
															     }
														
@@ -302,6 +302,15 @@ public class JdbcUserDetailsManagerTests {
 
															         assertEquals(0, template.queryForList(SELECT_JOE_AUTHORITIES_SQL).size());
														
 
															     }
														
 
															+    // SEC-2166
														
 
															+    @Test
														
 
															+    public void createNewAuthenticationUsesNullPasswordToKeepPassordsSave() {
														
 
															+        insertJoe();
														
 
															+        UsernamePasswordAuthenticationToken currentAuth = new UsernamePasswordAuthenticationToken("joe",null, AuthorityUtils.createAuthorityList("ROLE_USER"));
														
 
															+        Authentication updatedAuth = manager.createNewAuthentication(currentAuth, "new");
														
 
															+        assertNull(updatedAuth.getCredentials());
														
 
															+    }
														
 
															+
														
 
															     private Authentication authenticateJoe() {
														
 
															         UsernamePasswordAuthenticationToken auth =
														
 
															                 new UsernamePasswordAuthenticationToken("joe","password", joe.getAuthorities());