diff --git a/config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java b/config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java index 68dbef25f6..d75e02ceb6 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java +++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java @@ -78,6 +78,9 @@ public class AuthenticationManagerBuilder extends AbstractConfiguredSecurityBuil */ public AuthenticationManagerBuilder parentAuthenticationManager( AuthenticationManager authenticationManager) { + if(authenticationManager instanceof ProviderManager) { + eraseCredentials(((ProviderManager) authenticationManager).isEraseCredentialsAfterAuthentication()); + } this.parentAuthenticationManager = authenticationManager; return this; } diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.groovy index ccb6da3544..906382c5e6 100644 --- a/config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.groovy @@ -15,6 +15,7 @@ */ package org.springframework.security.config.annotation.authentication +import org.springframework.beans.factory.annotation.Autowired import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration import org.springframework.security.authentication.AuthenticationManager @@ -89,4 +90,25 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec { return super.authenticationManagerBean(); } } + + def "SEC-2533: global authentication-manager@erase-credentials=false"() { + when: + loadConfig(GlobalEraseCredentialsFalseConfig) + Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("user","password")) + then: + auth.credentials == "password" + auth.principal.password == "password" + } + + @EnableWebSecurity + @Configuration + static class GlobalEraseCredentialsFalseConfig extends WebSecurityConfigurerAdapter { + @Autowired + public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { + auth + .eraseCredentials(false) + .inMemoryAuthentication() + .withUser("user").password("password").roles("USER") + } + } }