Package org.springframework.security.core.userdetails

Class User

  • All Implemented Interfaces:
    java.io.Serializable, CredentialsContainer, UserDetails
    public class User
extends java.lang.Object
implements UserDetails, CredentialsContainer
    Models core user information retrieved by a UserDetailsService.

    Developers may use this class directly, subclass it, or write their own UserDetails implementation from scratch.

    equals and hashcode implementations are based on the username property only, as the intention is that lookups of the same user principal object (in a user registry, for example) will match where the objects represent the same user, not just when all the properties (authorities, password for example) are the same.

    Note that this implementation is not immutable. It implements the CredentialsContainer interface, in order to allow the password to be erased after authentication. This may cause side-effects if you are storing instances in-memory and reusing them. If so, make sure you return a copy from your UserDetailsService each time it is invoked.

    See Also:
    Serialized Form

    • Constructor Detail

      • User

        public User​(java.lang.String username,
            java.lang.String password,
            java.util.Collection<? extends GrantedAuthority> authorities)
        Calls the more complex constructor with all boolean arguments set to true.

      • User

        public User​(java.lang.String username,
            java.lang.String password,
            boolean enabled,
            boolean accountNonExpired,
            boolean credentialsNonExpired,
            boolean accountNonLocked,
            java.util.Collection<? extends GrantedAuthority> authorities)
        Construct the User with the details required by DaoAuthenticationProvider.
        Parameters:
        username - the username presented to the DaoAuthenticationProvider
        password - the password that should be presented to the DaoAuthenticationProvider
        enabled - set to true if the user is enabled
        accountNonExpired - set to true if the account has not expired
        credentialsNonExpired - set to true if the credentials have not expired
        accountNonLocked - set to true if the account is not locked
        authorities - the authorities that should be granted to the caller if they presented the correct username and password and the user is enabled. Not null.
        Throws:
        java.lang.IllegalArgumentException - if a null value was passed either as a parameter or as an element in the GrantedAuthority collection

    • Method Detail

      • getAuthorities

        public java.util.Collection<GrantedAuthority> getAuthorities()
        Description copied from interface: UserDetails
        Returns the authorities granted to the user. Cannot return null.
        Specified by:
        getAuthorities in interface UserDetails
        Returns:
        the authorities, sorted by natural key (never null)

      • getPassword

        public java.lang.String getPassword()
        Description copied from interface: UserDetails
        Returns the password used to authenticate the user.
        Specified by:
        getPassword in interface UserDetails
        Returns:
        the password

      • getUsername

        public java.lang.String getUsername()
        Description copied from interface: UserDetails
        Returns the username used to authenticate the user. Cannot return null.
        Specified by:
        getUsername in interface UserDetails
        Returns:
        the username (never null)

      • isEnabled

        public boolean isEnabled()
        Description copied from interface: UserDetails
        Indicates whether the user is enabled or disabled. A disabled user cannot be authenticated.
        Specified by:
        isEnabled in interface UserDetails
        Returns:
        true if the user is enabled, false otherwise

      • isAccountNonExpired

        public boolean isAccountNonExpired()
        Description copied from interface: UserDetails
        Indicates whether the user's account has expired. An expired account cannot be authenticated.
        Specified by:
        isAccountNonExpired in interface UserDetails
        Returns:
        true if the user's account is valid (ie non-expired), false if no longer valid (ie expired)

      • isAccountNonLocked

        public boolean isAccountNonLocked()
        Description copied from interface: UserDetails
        Indicates whether the user is locked or unlocked. A locked user cannot be authenticated.
        Specified by:
        isAccountNonLocked in interface UserDetails
        Returns:
        true if the user is not locked, false otherwise

      • isCredentialsNonExpired

        public boolean isCredentialsNonExpired()
        Description copied from interface: UserDetails
        Indicates whether the user's credentials (password) has expired. Expired credentials prevent authentication.
        Specified by:
        isCredentialsNonExpired in interface UserDetails
        Returns:
        true if the user's credentials are valid (ie non-expired), false if no longer valid (ie expired)

      • equals

        public boolean equals​(java.lang.Object obj)
        Returns true if the supplied object is a User instance with the same username value.

        In other words, the objects are equal if they have the same username, representing the same principal.

        Overrides:
        equals in class java.lang.Object

      • hashCode

        public int hashCode()
        Returns the hashcode of the username.
        Overrides:
        hashCode in class java.lang.Object

      • toString

        public java.lang.String toString()
        Overrides:
        toString in class java.lang.Object

      • withUsername

        public static User.UserBuilder withUsername​(java.lang.String username)
        Creates a UserBuilder with a specified user name
        Parameters:
        username - the username to use
        Returns:
        the UserBuilder

      • builder

        public static User.UserBuilder builder()
        Creates a UserBuilder
        Returns:
        the UserBuilder

      • withDefaultPasswordEncoder

        @Deprecated
public static User.UserBuilder withDefaultPasswordEncoder()
        Deprecated.
        Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.

        WARNING: This method is considered unsafe for production and is only intended for sample applications.

        Creates a user and automatically encodes the provided password using PasswordEncoderFactories.createDelegatingPasswordEncoder(). For example: 

         
 UserDetails user = User.withDefaultPasswordEncoder()
     .username("user")
     .password("password")
     .roles("USER")
     .build();
 // outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
 System.out.println(user.getPassword());
        This is not safe for production (it is intended for getting started experience) because the password "password" is compiled into the source code and then is included in memory at the time of creation. This means there are still ways to recover the plain text password making it unsafe. It does provide a slight improvement to using plain text passwords since the UserDetails password is securely hashed. This means if the UserDetails password is accidentally exposed, the password is securely stored. In a production setting, it is recommended to hash the password ahead of time. For example: 
         
 PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
 // outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
 // remember the password that is printed out and use in the next step
 System.out.println(encoder.encode("password"));
  
         
 UserDetails user = User.withUsername("user")
     .password("{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG")
     .roles("USER")
     .build();
        Returns:
        a UserBuilder that automatically encodes the password with the default PasswordEncoder