<authentication-manager erase-credentials= "false" >
...
</authentication-manager>
The erase-credentials default is true, which is
Public authentication Authenticate (authentication authentication) throws Authenticationexception
Called before returning ((credentialscontainer) result). Erasecredentials (); clear credentials and so on, so we use
Securitycontextimpl Securitycontextimpl = (Securitycontextimpl) request.getsession (). GetAttribute ("SPRING _security_context "= securitycontextimpl.getauthentication (); // login password, unencrypted String password = (string) (Authentication.getcredentials ());
Password is always null.
When Erase-credentials is set to False, this confidential information is not cleared, but it is recommended that you call Erasecredentials () clearly after you have finished using it.
How Spring security does not let the default Providermanager erase passwords and other information