Package org.springframework.security.authentication.dao

Class DaoAuthenticationProvider

java.lang.Object

org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

org.springframework.security.authentication.dao.DaoAuthenticationProvider

All Implemented Interfaces:

org.springframework.beans.factory.Aware, org.springframework.beans.factory.InitializingBean, org.springframework.context.MessageSourceAware, AuthenticationProvider

public class DaoAuthenticationProvider
extends AbstractUserDetailsAuthenticationProvider

An AuthenticationProvider implementation that retrieves user details from a UserDetailsService.

Field Summary

Fields inherited from class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

hideUserNotFoundExceptions, logger, messages

Constructor Summary

Constructors

Constructor	Description
DaoAuthenticationProvider(UserDetailsService userDetailsService)

Method Summary

Modifier and Type	Method	Description
protected void	additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication)	Allows subclasses to perform any additional checks of a returned (or cached) UserDetails for a given authentication request.
protected Authentication	createSuccessAuthentication(Object principal, Authentication authentication, UserDetails user)	Creates a successful Authentication object.
protected void	doAfterPropertiesSet()
protected PasswordEncoder	getPasswordEncoder()
protected UserDetailsService	getUserDetailsService()
protected final UserDetails	retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)	Allows subclasses to actually retrieve the UserDetails from an implementation-specific location, with the option of throwing an AuthenticationException immediately if the presented credentials are incorrect (this is especially useful if it is necessary to bind to a resource as the user in order to obtain or generate a UserDetails).
void	setCompromisedPasswordChecker(CompromisedPasswordChecker compromisedPasswordChecker)	Sets the CompromisedPasswordChecker to be used before creating a successful authentication.
void	setPasswordEncoder(PasswordEncoder passwordEncoder)	Sets the PasswordEncoder instance to be used to encode and validate passwords.
void	setUserDetailsPasswordService(UserDetailsPasswordService userDetailsPasswordService)

Methods inherited from class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

afterPropertiesSet, authenticate, getPostAuthenticationChecks, getPreAuthenticationChecks, getUserCache, isForcePrincipalAsString, isHideUserNotFoundExceptions, setAuthoritiesMapper, setForcePrincipalAsString, setHideUserNotFoundExceptions, setMessageSource, setPostAuthenticationChecks, setPreAuthenticationChecks, setUserCache, supports

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

DaoAuthenticationProvider

public DaoAuthenticationProvider(UserDetailsService userDetailsService)

Method Details

additionalAuthenticationChecks

protected void additionalAuthenticationChecks(UserDetails userDetails,
 UsernamePasswordAuthenticationToken authentication)
                                       throws AuthenticationException

Description copied from class: AbstractUserDetailsAuthenticationProvider

Allows subclasses to perform any additional checks of a returned (or cached) UserDetails for a given authentication request. Generally a subclass will at least compare the Authentication.getCredentials() with a UserDetails.getPassword(). If custom logic is needed to compare additional properties of UserDetails and/or UsernamePasswordAuthenticationToken, these should also appear in this method.

Specified by:

additionalAuthenticationChecks in class AbstractUserDetailsAuthenticationProvider

Parameters:

userDetails - as retrieved from the AbstractUserDetailsAuthenticationProvider.retrieveUser(String, UsernamePasswordAuthenticationToken) or UserCache

authentication - the current request that needs to be authenticated

Throws:

AuthenticationException - AuthenticationException if the credentials could not be validated (generally a BadCredentialsException, an AuthenticationServiceException)

doAfterPropertiesSet

protected void doAfterPropertiesSet()

Overrides:

doAfterPropertiesSet in class AbstractUserDetailsAuthenticationProvider

retrieveUser

protected final UserDetails retrieveUser(String username,
 UsernamePasswordAuthenticationToken authentication)
                                  throws AuthenticationException

Description copied from class: AbstractUserDetailsAuthenticationProvider

Allows subclasses to actually retrieve the UserDetails from an implementation-specific location, with the option of throwing an AuthenticationException immediately if the presented credentials are incorrect (this is especially useful if it is necessary to bind to a resource as the user in order to obtain or generate a UserDetails).

Subclasses are not required to perform any caching, as the AbstractUserDetailsAuthenticationProvider will by default cache the UserDetails. The caching of UserDetails does present additional complexity as this means subsequent requests that rely on the cache will need to still have their credentials validated, even if the correctness of credentials was assured by subclasses adopting a binding-based strategy in this method. Accordingly it is important that subclasses either disable caching (if they want to ensure that this method is the only method that is capable of authenticating a request, as no UserDetails will ever be cached) or ensure subclasses implement AbstractUserDetailsAuthenticationProvider.additionalAuthenticationChecks(UserDetails, UsernamePasswordAuthenticationToken) to compare the credentials of a cached UserDetails with subsequent authentication requests.

Most of the time subclasses will not perform credentials inspection in this method, instead performing it in AbstractUserDetailsAuthenticationProvider.additionalAuthenticationChecks(UserDetails, UsernamePasswordAuthenticationToken) so that code related to credentials validation need not be duplicated across two methods.

Specified by:

retrieveUser in class AbstractUserDetailsAuthenticationProvider

Parameters:

username - The username to retrieve

authentication - The authentication request, which subclasses may need to perform a binding-based retrieval of the UserDetails

Returns:

the user information (never null - instead an exception should the thrown)

Throws:

AuthenticationException - if the credentials could not be validated (generally a BadCredentialsException, an AuthenticationServiceException or UsernameNotFoundException)

createSuccessAuthentication

protected Authentication createSuccessAuthentication(Object principal,
 Authentication authentication,
 UserDetails user)

Description copied from class: AbstractUserDetailsAuthenticationProvider

Creates a successful Authentication object.

Protected so subclasses can override.

Subclasses will usually store the original credentials the user supplied (not salted or encoded passwords) in the returned Authentication object.

Overrides:

createSuccessAuthentication in class AbstractUserDetailsAuthenticationProvider

Parameters:

principal - that should be the principal in the returned object (defined by the AbstractUserDetailsAuthenticationProvider.isForcePrincipalAsString() method)

authentication - that was presented to the provider for validation

user - that was loaded by the implementation

Returns:

the successful authentication token

setPasswordEncoder

public void setPasswordEncoder(PasswordEncoder passwordEncoder)

Sets the PasswordEncoder instance to be used to encode and validate passwords. If not set, the password will be compared using PasswordEncoderFactories.createDelegatingPasswordEncoder()

Parameters:

passwordEncoder - must be an instance of one of the PasswordEncoder types.

getPasswordEncoder

protected PasswordEncoder getPasswordEncoder()

getUserDetailsService

protected UserDetailsService getUserDetailsService()

setUserDetailsPasswordService

public void setUserDetailsPasswordService(UserDetailsPasswordService userDetailsPasswordService)

setCompromisedPasswordChecker

public void setCompromisedPasswordChecker(CompromisedPasswordChecker compromisedPasswordChecker)

Sets the CompromisedPasswordChecker to be used before creating a successful authentication. Defaults to null.

Parameters:

compromisedPasswordChecker - the CompromisedPasswordChecker to use

Since:

6.3