public class User extends java.lang.Object implements UserDetails, CredentialsContainer
UserDetailsService
.
Developers may use this class directly, subclass it, or write their own
UserDetails
implementation from scratch.
equals
and hashcode
implementations are based on the username
property only, as the intention is that lookups of the same user principal object (in a
user registry, for example) will match where the objects represent the same user, not
just when all the properties (authorities, password for example) are the same.
Note that this implementation is not immutable. It implements the
CredentialsContainer
interface, in order to allow the password to be erased
after authentication. This may cause side-effects if you are storing instances
in-memory and reusing them. If so, make sure you return a copy from your
UserDetailsService
each time it is invoked.
Modifier and Type | Class and Description |
---|---|
static class |
User.UserBuilder
Builds the user to be added.
|
Constructor and Description |
---|
User(java.lang.String username,
java.lang.String password,
boolean enabled,
boolean accountNonExpired,
boolean credentialsNonExpired,
boolean accountNonLocked,
java.util.Collection<? extends GrantedAuthority> authorities)
Construct the
User with the details required by
DaoAuthenticationProvider . |
User(java.lang.String username,
java.lang.String password,
java.util.Collection<? extends GrantedAuthority> authorities)
Calls the more complex constructor with all boolean arguments set to
true . |
Modifier and Type | Method and Description |
---|---|
static User.UserBuilder |
builder()
Creates a UserBuilder
|
boolean |
equals(java.lang.Object obj)
Returns
true if the supplied object is a User instance with the
same username value. |
void |
eraseCredentials() |
java.util.Collection<GrantedAuthority> |
getAuthorities()
Returns the authorities granted to the user.
|
java.lang.String |
getPassword()
Returns the password used to authenticate the user.
|
java.lang.String |
getUsername()
Returns the username used to authenticate the user.
|
int |
hashCode()
Returns the hashcode of the
username . |
boolean |
isAccountNonExpired()
Indicates whether the user's account has expired.
|
boolean |
isAccountNonLocked()
Indicates whether the user is locked or unlocked.
|
boolean |
isCredentialsNonExpired()
Indicates whether the user's credentials (password) has expired.
|
boolean |
isEnabled()
Indicates whether the user is enabled or disabled.
|
java.lang.String |
toString() |
static User.UserBuilder |
withDefaultPasswordEncoder()
Deprecated.
Using this method is not considered safe for production, but is
acceptable for demos and getting started. For production purposes, ensure the
password is encoded externally. See the method Javadoc for additional details.
There are no plans to remove this support. It is deprecated to indicate that this
is considered insecure for production purposes.
|
static User.UserBuilder |
withUserDetails(UserDetails userDetails) |
static User.UserBuilder |
withUsername(java.lang.String username)
Creates a UserBuilder with a specified user name
|
public User(java.lang.String username, java.lang.String password, java.util.Collection<? extends GrantedAuthority> authorities)
true
.public User(java.lang.String username, java.lang.String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, java.util.Collection<? extends GrantedAuthority> authorities)
User
with the details required by
DaoAuthenticationProvider
.username
- the username presented to the
DaoAuthenticationProvider
password
- the password that should be presented to the
DaoAuthenticationProvider
enabled
- set to true
if the user is enabledaccountNonExpired
- set to true
if the account has not expiredcredentialsNonExpired
- set to true
if the credentials have not
expiredaccountNonLocked
- set to true
if the account is not lockedauthorities
- the authorities that should be granted to the caller if they
presented the correct username and password and the user is enabled. Not null.java.lang.IllegalArgumentException
- if a null
value was passed either as
a parameter or as an element in the GrantedAuthority
collectionpublic java.util.Collection<GrantedAuthority> getAuthorities()
UserDetails
null
.getAuthorities
in interface UserDetails
null
)public java.lang.String getPassword()
UserDetails
getPassword
in interface UserDetails
public java.lang.String getUsername()
UserDetails
null
.getUsername
in interface UserDetails
null
)public boolean isEnabled()
UserDetails
isEnabled
in interface UserDetails
true
if the user is enabled, false
otherwisepublic boolean isAccountNonExpired()
UserDetails
isAccountNonExpired
in interface UserDetails
true
if the user's account is valid (ie non-expired),
false
if no longer valid (ie expired)public boolean isAccountNonLocked()
UserDetails
isAccountNonLocked
in interface UserDetails
true
if the user is not locked, false
otherwisepublic boolean isCredentialsNonExpired()
UserDetails
isCredentialsNonExpired
in interface UserDetails
true
if the user's credentials are valid (ie non-expired),
false
if no longer valid (ie expired)public void eraseCredentials()
eraseCredentials
in interface CredentialsContainer
public boolean equals(java.lang.Object obj)
true
if the supplied object is a User
instance with the
same username
value.
In other words, the objects are equal if they have the same username, representing the same principal.
equals
in class java.lang.Object
public int hashCode()
username
.hashCode
in class java.lang.Object
public java.lang.String toString()
toString
in class java.lang.Object
public static User.UserBuilder withUsername(java.lang.String username)
username
- the username to usepublic static User.UserBuilder builder()
@Deprecated public static User.UserBuilder withDefaultPasswordEncoder()
WARNING: This method is considered unsafe for production and is only intended for sample applications.
Creates a user and automatically encodes the provided password using
PasswordEncoderFactories.createDelegatingPasswordEncoder()
. For example:
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
// outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
System.out.println(user.getPassword());
This is not safe for production (it is intended for getting started experience)
because the password "password" is compiled into the source code and then is
included in memory at the time of creation. This means there are still ways to
recover the plain text password making it unsafe. It does provide a slight
improvement to using plain text passwords since the UserDetails password is
securely hashed. This means if the UserDetails password is accidentally exposed,
the password is securely stored.
In a production setting, it is recommended to hash the password ahead of time. For
example:
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
// outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
// remember the password that is printed out and use in the next step
System.out.println(encoder.encode("password"));
UserDetails user = User.withUsername("user")
.password("{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG")
.roles("USER")
.build();
public static User.UserBuilder withUserDetails(UserDetails userDetails)