Currently, the StormpathUserDetails object retains the user's password after a successful authentication, this must be fixed to clear the password and not keeping it in the session.

The logic in lookupPermissionStrings appears to indicate that the CustomDataPermissionsEditor expects the CustomData for a user to include a key named fieldName whose value is some Collection<String>, but the verification logic is a bit odd, and it throws an inappropriate exception for the point at which it's validating that assumption.

• Is that whole method in fact just a wrapper to get such a collection identified by the fieldName key?
• If the Collection contents of the key have a different contained type, is it better to throw an exception or coerce them all through toString?
• If throwing an exception is the appropriate action there, is there a strong reason not to run through these checks eagerly when creating the editor object?

I note that your code tends to be space-formatted instead of tab-formatted (Eclipse defaults to 4-space tabs inline). Is this a particular formatting choice for your project that submissions need to match?

This library and the core stormpath libraries are out of sync. With 1.0.beta, there were some interfaces that got broken, namely the client builder.

While the purpose of SpringSecurityResolvedAccountFilter is clear to me, I have a feeling it should not produce a new Authentication every time it runs. Each authentication means reading the Groups the user is member of, and this is very costly as collections are not (yet) cached.

I think the SpringSecurityResolvedAccountFilter should check if the current Authentication (the user href inside the UserDetails) matches the account resolved from request (probably from cookie param). Only if the authentication in the context does not match, or does not exist, a new authentication should be performed.

I've modified the filter to meet those needs and it works quite good, eliminating the communication to Stormpath on every possible request. The performance gains are very noticable, esp. where there are a lot of resources to load (css, js, images)