This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.2!

DaoAuthenticationProvider

DaoAuthenticationProvider is an AuthenticationProvider implementation that leverages a UserDetailsService and PasswordEncoder to authenticate a username and password.

Let’s take a look at how DaoAuthenticationProvider works within Spring Security. The figure explains details of how the AuthenticationManager in figures from Reading the Username & Password works.

daoauthenticationprovider
Figure 1. DaoAuthenticationProvider Usage

number 1 The authentication Filter from Reading the Username & Password passes a UsernamePasswordAuthenticationToken to the AuthenticationManager which is implemented by ProviderManager.

number 2 The ProviderManager is configured to use an AuthenticationProvider of type DaoAuthenticationProvider.

number 3 DaoAuthenticationProvider looks up the UserDetails from the UserDetailsService.

number 4 DaoAuthenticationProvider then uses the PasswordEncoder to validate the password on the UserDetails returned in the previous step.

number 5 When authentication is successful, the Authentication that is returned is of type UsernamePasswordAuthenticationToken and has a principal that is the UserDetails returned by the configured UserDetailsService. Ultimately, the returned UsernamePasswordAuthenticationToken will be set on the SecurityContextHolder by the authentication Filter.