From b4fbabdbfd22bf52c4e7d6b62edec7e0f8f63f7e Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@vmware.com>
Date: Fri, 20 Jul 2012 15:26:23 -0500
Subject: [PATCH] SEC-2012: Remove incorrect javadoc from
 UserDetails#getPassword()

Previously the javadoc stated that password could not be null. However,
since the introduction of CredentialsContainer introduced in SEC-1493 the
password can be null.

The changes remove the statement that passwords cannot be null. While this
is a non-passive change to the interface, the current state leaves no choice
for a non-passive change. Removing the javadoc was determined the better
option since erasing the credentials was an explicit feature request. Note
that replacing the password with an obscure String can be risky as it
introduces the risk that the value is used to authenticate.
---
 .../springframework/security/core/userdetails/UserDetails.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/java/org/springframework/security/core/userdetails/UserDetails.java b/core/src/main/java/org/springframework/security/core/userdetails/UserDetails.java
index a91e43335a..643706e3cf 100644
--- a/core/src/main/java/org/springframework/security/core/userdetails/UserDetails.java
+++ b/core/src/main/java/org/springframework/security/core/userdetails/UserDetails.java
@@ -55,7 +55,7 @@ public interface UserDetails extends Serializable {
     /**
      * Returns the password used to authenticate the user. Cannot return <code>null</code>.
      *
-     * @return the password (never <code>null</code>)
+     * @return the password
      */
     String getPassword();