Security cache disabled by default

adrienlauer · adrienlauer · commit 51292939cf61 · 2019-12-16T15:36:20.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,9 +1,10 @@
 # Version 3.9.1 (2019-12-12)
 
-* [chg] `AbstractTransactionManager` is now scoped as package.
 * [new] Support for programmatic login through `SecuritySupport` interface (no need for Shiro-specific code anymore).
 * [chg] Obtaining principals by type now honors inheritance (instead of returning principals of the exact specified type).
 * [chg] Principals are no longer required to be serializable.
+* [chg] `AbstractTransactionManager` is now scoped as package.
+* [fix] Security authentication and authorization caches are now disabled by default (avoiding to keep credentials indefinitely in memory).
 
 # Version 3.9.0 (2019-08-12)
 
diff --git a/security/core/src/main/java/org/seedstack/seed/security/SecurityConfig.java b/security/core/src/main/java/org/seedstack/seed/security/SecurityConfig.java
@@ -286,7 +286,7 @@ public AuthenticationConfig setCredentialsMatcher(Class<? extends CredentialsMat
     @Config("cache")
     public static class CacheConfig {
         @SingleValue
-        private boolean enabled = true;
+        private boolean enabled = false;
         private ItemCacheConfig authentication = new ItemCacheConfig();
         private ItemCacheConfig authorization = new ItemCacheConfig();
         private Class<? extends CacheManager> manager = MemoryConstrainedCacheManager.class;
diff --git a/security/core/src/test/resources/application.yaml b/security/core/src/test/resources/application.yaml
@@ -10,6 +10,7 @@ logging: INFO
 security:
   realms: [ConfigurationRealm, X509CertificateRealm]
   cache:
+    enabled: true
     manager: org.seedstack.seed.security.fixtures.TestCacheManager
   users:
     Obiwan:
