Package org.springframework.security.core.userdetails

Class User

java.lang.Object
org.springframework.security.core.userdetails.User
All Implemented Interfaces:
Serializable, CredentialsContainer, UserDetails
public class User extends Object implements UserDetails, CredentialsContainer
Models core user information retrieved by a UserDetailsService.

Developers may use this class directly, subclass it, or write their own UserDetails implementation from scratch.

equals and hashcode implementations are based on the username property only, as the intention is that lookups of the same user principal object (in a user registry, for example) will match where the objects represent the same user, not just when all the properties (authorities, password for example) are the same.

Note that this implementation is not immutable. It implements the CredentialsContainer interface, in order to allow the password to be erased after authentication. This may cause side-effects if you are storing instances in-memory and reusing them. If so, make sure you return a copy from your UserDetailsService each time it is invoked.

See Also:

  • Constructor Details

    • User

      public User(String username, String password, Collection<? extends GrantedAuthority> authorities)
      Calls the more complex constructor with all boolean arguments set to true.

    • User

      public User(String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities)
      Construct the User with the details required by DaoAuthenticationProvider.
      Parameters:
      username - the username presented to the DaoAuthenticationProvider
      password - the password that should be presented to the DaoAuthenticationProvider
      enabled - set to true if the user is enabled
      accountNonExpired - set to true if the account has not expired
      credentialsNonExpired - set to true if the credentials have not expired
      accountNonLocked - set to true if the account is not locked
      authorities - the authorities that should be granted to the caller if they presented the correct username and password and the user is enabled. Not null.
      Throws:
      IllegalArgumentException - if a null value was passed either as a parameter or as an element in the GrantedAuthority collection

  • Method Details

    • getAuthorities

      public Collection<GrantedAuthority> getAuthorities()
      Description copied from interface: UserDetails
      Returns the authorities granted to the user. Cannot return null.
      Specified by:
      getAuthorities in interface UserDetails
      Returns:
      the authorities, sorted by natural key (never null)

    • getPassword

      public String getPassword()
      Description copied from interface: UserDetails
      Returns the password used to authenticate the user.
      Specified by:
      getPassword in interface UserDetails
      Returns:
      the password

    • getUsername

      public String getUsername()
      Description copied from interface: UserDetails
      Returns the username used to authenticate the user. Cannot return null.
      Specified by:
      getUsername in interface UserDetails
      Returns:
      the username (never null)

    • isEnabled

      public boolean isEnabled()
      Description copied from interface: UserDetails
      Indicates whether the user is enabled or disabled. A disabled user cannot be authenticated.
      Specified by:
      isEnabled in interface UserDetails
      Returns:
      true if the user is enabled, false otherwise

    • isAccountNonExpired

      public boolean isAccountNonExpired()
      Description copied from interface: UserDetails
      Indicates whether the user's account has expired. An expired account cannot be authenticated.
      Specified by:
      isAccountNonExpired in interface UserDetails
      Returns:
      true if the user's account is valid (ie non-expired), false if no longer valid (ie expired)

    • isAccountNonLocked

      public boolean isAccountNonLocked()
      Description copied from interface: UserDetails
      Indicates whether the user is locked or unlocked. A locked user cannot be authenticated.
      Specified by:
      isAccountNonLocked in interface UserDetails
      Returns:
      true if the user is not locked, false otherwise

    • isCredentialsNonExpired

      public boolean isCredentialsNonExpired()
      Description copied from interface: UserDetails
      Indicates whether the user's credentials (password) has expired. Expired credentials prevent authentication.
      Specified by:
      isCredentialsNonExpired in interface UserDetails
      Returns:
      true if the user's credentials are valid (ie non-expired), false if no longer valid (ie expired)

    • eraseCredentials

      public void eraseCredentials()
      Specified by:
      eraseCredentials in interface CredentialsContainer

    • equals

      public boolean equals(Object obj)
      Returns true if the supplied object is a User instance with the same username value.

      In other words, the objects are equal if they have the same username, representing the same principal.

      Overrides:
      equals in class Object

    • hashCode

      public int hashCode()
      Returns the hashcode of the username.
      Overrides:
      hashCode in class Object

    • toString

      public String toString()
      Overrides:
      toString in class Object

    • withUsername

      public static User.UserBuilder withUsername(String username)
      Creates a UserBuilder with a specified user name
      Parameters:
      username - the username to use
      Returns:
      the UserBuilder

    • builder

      public static User.UserBuilder builder()
      Creates a UserBuilder
      Returns:
      the UserBuilder

    • withDefaultPasswordEncoder

      @Deprecated public static User.UserBuilder withDefaultPasswordEncoder()
      Deprecated.
      Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.

      WARNING: This method is considered unsafe for production and is only intended for sample applications.

      Creates a user and automatically encodes the provided password using PasswordEncoderFactories.createDelegatingPasswordEncoder(). For example: 

       
 UserDetails user = User.withDefaultPasswordEncoder()
     .username("user")
     .password("password")
     .roles("USER")
     .build();
 // outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
 System.out.println(user.getPassword());
      This is not safe for production (it is intended for getting started experience) because the password "password" is compiled into the source code and then is included in memory at the time of creation. This means there are still ways to recover the plain text password making it unsafe. It does provide a slight improvement to using plain text passwords since the UserDetails password is securely hashed. This means if the UserDetails password is accidentally exposed, the password is securely stored. In a production setting, it is recommended to hash the password ahead of time. For example: 
       
 PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
 // outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
 // remember the password that is printed out and use in the next step
 System.out.println(encoder.encode("password"));
  
       
 UserDetails user = User.withUsername("user")
     .password("{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG")
     .roles("USER")
     .build();
      Returns:
      a UserBuilder that automatically encodes the password with the default PasswordEncoder

    • withUserDetails

      public static User.UserBuilder withUserDetails(UserDetails userDetails)