I've just happened to notice that using
springSecurityService.reauthenticate(userid, password)
for manual user authentication (in a controller) succeeds regardless of the value for password, i.e. correct password, wrong password, null password, etc.
Am I missing something?
The declaration of springSecurityService's method is
void reauthenticate(String username, String password = null)
so at first I was pretty confident that a password check was in place.
Config
The reauthenticate method updates the current Security context with UserDetails instance found by the email you provide to the reauthenticate method. It does not perform any validation as it is an internal call. It also removes the user from the user cache to force a refresh at next login.
So if you do not pass the password parameter, it is going to use the password from the UserDetails instance and set the authentication context with these details.
Have a look at the code here
I hope this helps.