Using Spring Security I have a
UserDetails user = this.userCache.getUserFromCache(username);
If you configured your application with the standard components, the scenario should be as follows:
At user request arrival the
Authentication object is created and populated with username and password supplied by user.
User details are retrieved: if it's possible,
UserCache is used to retrieve previously cached user details (i.e.
getUserFromCache is called either by implementations of
AuthenticationProvider before the call to
AuthenticationManager is performed). And it is 100% OK that the user details from cache will come with the good password.
After basic pre-authentication checks (credentials expiration etc.) the actual authentication occurs. At this point the password from cached user details is compared to the password stored in
Authentication object supplied (which currently contains the wrong password). At this point authentication attempt fails.
However, if you implement your own
AuthenticationManager, you are responsible for password checking.