Expected Behavior
In Spring Security 5.6.2, the process of configuring AuthenticationManagerBuilder.eraseCredentials(false); is relatively intuitive, but it does not correspond to https://docs.spring.io/spring-security/reference/servlet/configuration/java.html instruction of.
@Order(1)
@Configuration
public static class ApiWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
.httpBasic(withDefaults());
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.eraseCredentials(false);
}
}
- This problem extends to the documentation of
Spring Security 5.7.0-M3, and the lack of documentation brings more trouble to users, refer to https://docs.spring.io/spring-security/reference/5.7.0-M3/servlet/appendix/namespace/authentication-manager.html#nsa-authentication-manager-attributes .
Current Behavior
- I think a simple example should be added at https://docs.spring.io/spring-security/reference/5.7.0-M3/servlet/configuration/java.html to modify eraseCredentialsAfterAuthentication .
Context
No.
Comment From: sjohnr
Thanks for reaching out, @linghengqian! Would you be interested in submitting a PR to add an example to the documentation?
Comment From: linghengqian
Thanks for reaching out, @linghengqian! Would you be interested in submitting a PR to add an example to the documentation?
Spring Security 5.7 has major changes in use cases, so I'm not sure the correct way I'm modifying this property in my custom DSL. I hope other friends could submit this PR.
Comment From: sjohnr
Not a problem, @linghengqian. Thanks.