public interface Authentication extends Principal, Serializable
AuthenticationManager.authenticate(Authentication)
method.
Once the request has been authenticated, the Authentication will usually be
stored in a thread-local SecurityContext managed by the
SecurityContextHolder
by the authentication mechanism which is being used. An
explicit authentication can be achieved, without using one of Spring Security's
authentication mechanisms, by creating an Authentication instance and using
the code:
SecurityContextHolder.getContext().setAuthentication(anAuthentication);Note that unless the Authentication has the authenticated property set to true, it will still be authenticated by any security interceptor (for method or web invocations) which encounters it.
In most cases, the framework transparently takes care of managing the security context and authentication objects for you.
Modifier and Type | Method and Description |
---|---|
Collection<? extends GrantedAuthority> |
getAuthorities()
Set by an
AuthenticationManager to indicate the authorities that the
principal has been granted. |
Object |
getCredentials()
The credentials that prove the principal is correct.
|
Object |
getDetails()
Stores additional details about the authentication request.
|
Object |
getPrincipal()
The identity of the principal being authenticated.
|
boolean |
isAuthenticated()
Used to indicate to
AbstractSecurityInterceptor whether it should present
the authentication token to the AuthenticationManager . |
void |
setAuthenticated(boolean isAuthenticated)
See
isAuthenticated() for a full description. |
Collection<? extends GrantedAuthority> getAuthorities()
AuthenticationManager
to indicate the authorities that the
principal has been granted. Note that classes should not rely on this value as
being valid unless it has been set by a trusted AuthenticationManager
.
Implementations should ensure that modifications to the returned collection array do not affect the state of the Authentication object, or use an unmodifiable instance.
Object getCredentials()
AuthenticationManager
. Callers
are expected to populate the credentials.Principal
Object getDetails()
null
if not usedObject getPrincipal()
The AuthenticationManager implementation will often return an
Authentication containing richer information as the principal for use by
the application. Many of the authentication providers will create a
UserDetails
object as the principal.
Principal
being authenticated or the authenticated
principal after authentication.boolean isAuthenticated()
AbstractSecurityInterceptor
whether it should present
the authentication token to the AuthenticationManager
. Typically an
AuthenticationManager
(or, more often, one of its
AuthenticationProvider
s) will return an immutable authentication token
after successful authentication, in which case that token can safely return
true
to this method. Returning true
will improve
performance, as calling the AuthenticationManager
for every request
will no longer be necessary.
For security reasons, implementations of this interface should be very careful
about returning true
from this method unless they are either
immutable, or have some way of ensuring the properties have not been changed since
original creation.
AbstractSecurityInterceptor
does not need to present the token to the
AuthenticationManager
again for re-authentication.void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException
isAuthenticated()
for a full description.
Implementations should always allow this method to be called with a
false
parameter, as this is used by various classes to specify the
authentication token should not be trusted. If an implementation wishes to reject
an invocation with a true
parameter (which would indicate the
authentication token is trusted - a potential security risk) the implementation
should throw an IllegalArgumentException
.
isAuthenticated
- true
if the token should be trusted (which may
result in an exception) or false
if the token should not be trustedIllegalArgumentException
- if an attempt to make the authentication token
trusted (by passing true
as the argument) is rejected due to the
implementation being immutable or implementing its own alternative approach to
isAuthenticated()