java - 为什么在authenticate(..)上返回的Authentication对象仍然需要包含凭据？

Question

我只是在了解即将到来的项目的一些规范，并偶然发现了 Spring Security 的 AuthenticationProvider 接口(interface)的详细信息。

对于方法身份验证authenticate(身份验证authentication) 返回的对象又是一个Authentication对象。根据Spring的java文档，它说返回值:

Returns: a fully authenticated object including credentials. May return null if the AuthenticationProvider is unable to support authentication of the passed Authentication object. In such a case, the next AuthenticationProvider that supports the presented Authentication class will be tried.

为什么在我成功通过身份验证后该对象仍应包含凭据？这对我来说没有意义。身份验证后，我想立即清除有关凭据的所有信息，或者为什么不应该？

Answer 1

Spring Security 删除敏感凭证信息，请参阅 Spring Security Reference :

10.1.1 Erasing Credentials on Successful Authentication

By default (from Spring Security 3.1 onwards) the ProviderManager will attempt to clear any sensitive credentials information from the Authentication object which is returned by a successful authentication request. This prevents information like passwords being retained longer than necessary.

This may cause issues when you are using a cache of user objects, for example, to improve performance in a stateless application. If the Authentication contains a reference to an object in the cache (such as a UserDetails instance) and this has its credentials removed, then it will no longer be possible to authenticate against the cached value. You need to take this into account if you are using a cache. An obvious solution is to make a copy of the object first, either in the cache implementation or in the AuthenticationProvider which creates the returned Authentication object. Alternatively, you can disable the eraseCredentialsAfterAuthentication property on ProviderManager. See the Javadoc for more information.