Interface Authentication
- All Superinterfaces:
Principal
,Serializable
- All Known Implementing Classes:
AbstractAuthenticationToken
,AbstractOAuth2TokenAuthenticationToken
,AnonymousAuthenticationToken
,BearerTokenAuthentication
,BearerTokenAuthenticationToken
,BearerTokenAuthenticationToken
,CasAssertionAuthenticationToken
,CasAuthenticationToken
,CasServiceTicketAuthenticationToken
,JaasAuthenticationToken
,JwtAuthenticationToken
,OAuth2AuthenticationToken
,OAuth2AuthorizationCodeAuthenticationToken
,OAuth2LoginAuthenticationToken
,OneTimeTokenAuthenticationToken
,PreAuthenticatedAuthenticationToken
,RememberMeAuthenticationToken
,RunAsUserToken
,Saml2Authentication
,Saml2AuthenticationToken
,TestingAuthenticationToken
,UsernamePasswordAuthenticationToken
,WebAuthnAuthentication
,WebAuthnAuthenticationRequestToken
AuthenticationManager.authenticate(Authentication)
method.
Once the request has been authenticated, the Authentication will usually be
stored in a thread-local SecurityContext managed by the
SecurityContextHolder
by the authentication mechanism which is being used. An
explicit authentication can be achieved, without using one of Spring Security's
authentication mechanisms, by creating an Authentication instance and using
the code:
SecurityContext context = SecurityContextHolder.createEmptyContext(); context.setAuthentication(anAuthentication); SecurityContextHolder.setContext(context);Note that unless the Authentication has the authenticated property set to true, it will still be authenticated by any security interceptor (for method or web invocations) which encounters it.
In most cases, the framework transparently takes care of managing the security context and authentication objects for you.
-
Method Summary
Modifier and TypeMethodDescriptionCollection<? extends GrantedAuthority>
Set by anAuthenticationManager
to indicate the authorities that the principal has been granted.The credentials that prove the principal is correct.Stores additional details about the authentication request.The identity of the principal being authenticated.boolean
Used to indicate toAbstractSecurityInterceptor
whether it should present the authentication token to theAuthenticationManager
.void
setAuthenticated
(boolean isAuthenticated) SeeisAuthenticated()
for a full description.
-
Method Details
-
getAuthorities
Collection<? extends GrantedAuthority> getAuthorities()Set by anAuthenticationManager
to indicate the authorities that the principal has been granted. Note that classes should not rely on this value as being valid unless it has been set by a trustedAuthenticationManager
.Implementations should ensure that modifications to the returned collection array do not affect the state of the Authentication object, or use an unmodifiable instance.
- Returns:
- the authorities granted to the principal, or an empty collection if the token has not been authenticated. Never null.
-
getCredentials
Object getCredentials()The credentials that prove the principal is correct. This is usually a password, but could be anything relevant to theAuthenticationManager
. Callers are expected to populate the credentials.- Returns:
- the credentials that prove the identity of the
Principal
-
getDetails
Object getDetails()Stores additional details about the authentication request. These might be an IP address, certificate serial number etc.- Returns:
- additional details about the authentication request, or
null
if not used
-
getPrincipal
Object getPrincipal()The identity of the principal being authenticated. In the case of an authentication request with username and password, this would be the username. Callers are expected to populate the principal for an authentication request.The AuthenticationManager implementation will often return an Authentication containing richer information as the principal for use by the application. Many of the authentication providers will create a
UserDetails
object as the principal.- Returns:
- the
Principal
being authenticated or the authenticated principal after authentication.
-
isAuthenticated
boolean isAuthenticated()Used to indicate toAbstractSecurityInterceptor
whether it should present the authentication token to theAuthenticationManager
. Typically anAuthenticationManager
(or, more often, one of itsAuthenticationProvider
s) will return an immutable authentication token after successful authentication, in which case that token can safely returntrue
to this method. Returningtrue
will improve performance, as calling theAuthenticationManager
for every request will no longer be necessary.For security reasons, implementations of this interface should be very careful about returning
true
from this method unless they are either immutable, or have some way of ensuring the properties have not been changed since original creation.- Returns:
- true if the token has been authenticated and the
AbstractSecurityInterceptor
does not need to present the token to theAuthenticationManager
again for re-authentication.
-
setAuthenticated
SeeisAuthenticated()
for a full description.Implementations should always allow this method to be called with a
false
parameter, as this is used by various classes to specify the authentication token should not be trusted. If an implementation wishes to reject an invocation with atrue
parameter (which would indicate the authentication token is trusted - a potential security risk) the implementation should throw anIllegalArgumentException
.- Parameters:
isAuthenticated
-true
if the token should be trusted (which may result in an exception) orfalse
if the token should not be trusted- Throws:
IllegalArgumentException
- if an attempt to make the authentication token trusted (by passingtrue
as the argument) is rejected due to the implementation being immutable or implementing its own alternative approach toisAuthenticated()
-