The passwords for all Cúram internal and external users are stored in their digest format on the Cúram Users and ExternalUsers database tables. When the Cúram JAAS login module receives the password it is digested before being sent to the login bean for comparison. Digesting is a one-way process to ensure the security of the password. The password stored for the user on the database uses the same digest algorithm, subject to your crypto settings, thereby ensuring the encrypted passwords can be successfully compared to each other, but remain secure.
Users managed externally, e.g. via LDAP with Cúram identity-only configured, are not subject to the above process. When authenticating against a third-party party system (e.g., LDAP or a SSO Server), where there is a need for the Cúram application to pass the user-entered credentials to the third-party system, the custom implementation of curam.util.security.PublicAccessUser can be used, as it will allow access to the credentials with plain-text password.