diff --git a/docs/modules/ROOT/nav.adoc b/docs/modules/ROOT/nav.adoc index edc2ce6aaf5..7b9aa9df149 100644 --- a/docs/modules/ROOT/nav.adoc +++ b/docs/modules/ROOT/nav.adoc @@ -38,6 +38,7 @@ ***** xref:servlet/authentication/passwords/in-memory.adoc[In Memory] ***** xref:servlet/authentication/passwords/jdbc.adoc[JDBC] ***** xref:servlet/authentication/passwords/user-details.adoc[UserDetails] +***** xref:servlet/authentication/passwords/credentials-container.adoc[CredentialsContainer] ***** xref:servlet/authentication/passwords/user-details-service.adoc[UserDetailsService] ***** xref:servlet/authentication/passwords/password-encoder.adoc[PasswordEncoder] ***** xref:servlet/authentication/passwords/dao-authentication-provider.adoc[DaoAuthenticationProvider] diff --git a/docs/modules/ROOT/pages/servlet/authentication/passwords/credentials-container.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/credentials-container.adoc new file mode 100644 index 00000000000..b35795edc01 --- /dev/null +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/credentials-container.adoc @@ -0,0 +1,12 @@ +[[servlet-authentication-credentialscontainer]] += CredentialsContainer + +{security-api-url}org/springframework/security/core/CredentialsContainer.html[The `CredentialsContainer`] interface indicates that the implementing object contains sensitive data, and is used internally by Spring Security to erase the authentication credentials after a successful authentication. +This interface is implemented by most of Spring Security internal domain classes, like {security-api-url}org/springframework/security/core/userdetails/User.html[User] and {security-api-url}org/springframework/security/authentication/UsernamePasswordAuthenticationToken.html[UsernamePasswordAuthenticationToken]. + +The `ProviderManager` manager checks whether the returned `Authentication` implements this interface. +If so, xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager-erasing-credentials[it calls the `eraseCredentials` method] to remove the credentials from the object. + +If you want your custom authentication objects to have their credentials erased after authentication, you should ensure that the classes implement the `CredentialsContainer` interface. + +Users who are writing their own `AuthenticationProvider` implementations should create and return an appropriate `Authentication` object there, minus any sensitive data, rather than using this interface.