1

For a grails app we're using the spring security plugin, and planning on using an amazon redis store for user session storage. This is functional, except currently the user session object that's serialized to the store includes all the properties, including password, in the clear.

It doesn't seem like the password property should be serialized anyway - is that right? If so, is there a way to exclude properties from session serialization with spring security in grails?

Dan Tanner
  • 2,229
  • 2
  • 26
  • 39
  • this may help you: http://stackoverflow.com/questions/6899566/use-existing-domain-classes-with-spring-security-plugin – fabiangebert Oct 19 '13 at 16:54

1 Answers1

2

There's a setting to clear the password from the Authentication after successfully authenticating. It defaults to false in Spring Security 3.0 but can be enabled:

grails.plugins.springsecurity.providerManager.eraseCredentialsAfterAuthentication = true

This defaults to true in the 2.0 version of the plugin, so if you upgrade you can omit this override.

Burt Beckwith
  • 75,342
  • 5
  • 143
  • 156