8

I was using Spring 3 in my project and now upgraded to Spring 4.0.3.RELEASE. Now while using AuthenticationException.getAuthentication(), it says it is deprecated, but not able to find the alternative. Here is the code:

public ModelAndView init(HttpServletRequest request, HttpServletResponse response) {
    AuthenticationException exception = (AuthenticationException) request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);

    Authentication loginAuthentication = exception.getAuthentication();

    // Set the user name for the change password screen
    return new ModelAndView("common/changePassword", "userName", loginAuthentication.getPrincipal());   
}

Also the method setAuthentication(authentication) is deprecated. Is there any alternative for these two methods?

Ali Dehghani
  • 46,221
  • 15
  • 164
  • 151
jaind12
  • 123
  • 1
  • 12
  • http://stackoverflow.com/questions/32052076/how-to-get-the-current-logged-in-user-object-from-spring-security ? –  Sep 16 '16 at 05:54
  • 1
    I am not sure for alternative but can find reason for deprecation [here](http://docs.spring.io/autorepo/docs/spring-security/3.1.7.RELEASE/apidocs/org/springframework/security/core/AuthenticationException.html)....and also check [this](http://blog.solidcraft.eu/2011/04/spring-security-by-example-openid-login.html?showComment=1369334442380#c1072711203002013824) comment for more info – Prasanna Kumar H A Sep 16 '16 at 06:13
  • As NealeU said, relying logic needs re-thinking, but there's '''SecurityContextHolder.getContext().getAuthentication();''' from https://www.baeldung.com/get-user-in-spring-security – Smithfield Oct 10 '18 at 19:54

1 Answers1

2

There is no replacement, because this method was a security risk.

The latest Javadoc for the 3.x releases says:

@deprecated to avoid potential leaking of sensitive information (e.g. through serialization/remoting).

Any code that relied on this will need a little re-thinking.

NealeU
  • 1,264
  • 11
  • 23