Class AbstractUserDetailsAuthenticationProvider
- All Implemented Interfaces:
org.springframework.beans.factory.Aware
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.MessageSourceAware
,AuthenticationProvider
- Direct Known Subclasses:
DaoAuthenticationProvider
AuthenticationProvider
that allows subclasses to override and work with
UserDetails
objects. The class is
designed to respond to UsernamePasswordAuthenticationToken
authentication
requests.
Upon successful validation, a UsernamePasswordAuthenticationToken
will be
created and returned to the caller. The token will include as its principal either a
String
representation of the username, or the UserDetails
that was
returned from the authentication repository. Using String
is appropriate
if a container adapter is being used, as it expects String
representations
of the username. Using UserDetails
is appropriate if you require access to
additional properties of the authenticated user, such as email addresses,
human-friendly names etc. As container adapters are not recommended to be used, and
UserDetails
implementations provide additional flexibility, by default a
UserDetails
is returned. To override this default, set the
setForcePrincipalAsString(boolean)
to true
.
Caching is handled by storing the UserDetails
object being placed in the
UserCache
. This ensures that subsequent requests with the same username can be
validated without needing to query the UserDetailsService
. It should be noted
that if a user appears to present an incorrect password, the UserDetailsService
will be queried to confirm the most up-to-date password was used for comparison.
Caching is only likely to be required for stateless applications. In a normal web
application, for example, the SecurityContext is stored in the user's session
and the user isn't reauthenticated on each request. The default cache implementation is
therefore NullUserCache
.
-
Field Summary
Modifier and TypeFieldDescriptionprotected boolean
protected final org.apache.commons.logging.Log
protected org.springframework.context.support.MessageSourceAccessor
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected abstract void
additionalAuthenticationChecks
(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) Allows subclasses to perform any additional checks of a returned (or cached)UserDetails
for a given authentication request.final void
authenticate
(Authentication authentication) Performs authentication with the same contract asAuthenticationManager.authenticate(Authentication)
.protected Authentication
createSuccessAuthentication
(Object principal, Authentication authentication, UserDetails user) Creates a successfulAuthentication
object.protected void
protected UserDetailsChecker
protected UserDetailsChecker
boolean
boolean
protected abstract UserDetails
retrieveUser
(String username, UsernamePasswordAuthenticationToken authentication) Allows subclasses to actually retrieve theUserDetails
from an implementation-specific location, with the option of throwing anAuthenticationException
immediately if the presented credentials are incorrect (this is especially useful if it is necessary to bind to a resource as the user in order to obtain or generate aUserDetails
).void
setAuthoritiesMapper
(GrantedAuthoritiesMapper authoritiesMapper) void
setForcePrincipalAsString
(boolean forcePrincipalAsString) void
setHideUserNotFoundExceptions
(boolean hideUserNotFoundExceptions) By default theAbstractUserDetailsAuthenticationProvider
throws aBadCredentialsException
if a username is not found or the password is incorrect.void
setMessageSource
(org.springframework.context.MessageSource messageSource) void
setPostAuthenticationChecks
(UserDetailsChecker postAuthenticationChecks) void
setPreAuthenticationChecks
(UserDetailsChecker preAuthenticationChecks) Sets the policy will be used to verify the status of the loaded UserDetails before validation of the credentials takes place.void
setUserCache
(UserCache userCache) boolean
Returnstrue
if thisAuthenticationProvider
supports the indicatedAuthentication
object.
-
Field Details
-
logger
protected final org.apache.commons.logging.Log logger -
messages
protected org.springframework.context.support.MessageSourceAccessor messages -
hideUserNotFoundExceptions
protected boolean hideUserNotFoundExceptions
-
-
Constructor Details
-
AbstractUserDetailsAuthenticationProvider
public AbstractUserDetailsAuthenticationProvider()
-
-
Method Details
-
additionalAuthenticationChecks
protected abstract void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException Allows subclasses to perform any additional checks of a returned (or cached)UserDetails
for a given authentication request. Generally a subclass will at least compare theAuthentication.getCredentials()
with aUserDetails.getPassword()
. If custom logic is needed to compare additional properties ofUserDetails
and/orUsernamePasswordAuthenticationToken
, these should also appear in this method.- Parameters:
userDetails
- as retrieved from theretrieveUser(String, UsernamePasswordAuthenticationToken)
orUserCache
authentication
- the current request that needs to be authenticated- Throws:
AuthenticationException
- AuthenticationException if the credentials could not be validated (generally aBadCredentialsException
, anAuthenticationServiceException
)
-
afterPropertiesSet
- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
- Throws:
Exception
-
authenticate
Description copied from interface:AuthenticationProvider
Performs authentication with the same contract asAuthenticationManager.authenticate(Authentication)
.- Specified by:
authenticate
in interfaceAuthenticationProvider
- Parameters:
authentication
- the authentication request object.- Returns:
- a fully authenticated object including credentials. May return
null
if theAuthenticationProvider
is unable to support authentication of the passedAuthentication
object. In such a case, the nextAuthenticationProvider
that supports the presentedAuthentication
class will be tried. - Throws:
AuthenticationException
- if authentication fails.
-
createSuccessAuthentication
protected Authentication createSuccessAuthentication(Object principal, Authentication authentication, UserDetails user) Creates a successfulAuthentication
object.Protected so subclasses can override.
Subclasses will usually store the original credentials the user supplied (not salted or encoded passwords) in the returned
Authentication
object.- Parameters:
principal
- that should be the principal in the returned object (defined by theisForcePrincipalAsString()
method)authentication
- that was presented to the provider for validationuser
- that was loaded by the implementation- Returns:
- the successful authentication token
-
doAfterPropertiesSet
- Throws:
Exception
-
getUserCache
-
isForcePrincipalAsString
public boolean isForcePrincipalAsString() -
isHideUserNotFoundExceptions
public boolean isHideUserNotFoundExceptions() -
retrieveUser
protected abstract UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException Allows subclasses to actually retrieve theUserDetails
from an implementation-specific location, with the option of throwing anAuthenticationException
immediately if the presented credentials are incorrect (this is especially useful if it is necessary to bind to a resource as the user in order to obtain or generate aUserDetails
).Subclasses are not required to perform any caching, as the
AbstractUserDetailsAuthenticationProvider
will by default cache theUserDetails
. The caching ofUserDetails
does present additional complexity as this means subsequent requests that rely on the cache will need to still have their credentials validated, even if the correctness of credentials was assured by subclasses adopting a binding-based strategy in this method. Accordingly it is important that subclasses either disable caching (if they want to ensure that this method is the only method that is capable of authenticating a request, as noUserDetails
will ever be cached) or ensure subclasses implementadditionalAuthenticationChecks(UserDetails, UsernamePasswordAuthenticationToken)
to compare the credentials of a cachedUserDetails
with subsequent authentication requests.Most of the time subclasses will not perform credentials inspection in this method, instead performing it in
additionalAuthenticationChecks(UserDetails, UsernamePasswordAuthenticationToken)
so that code related to credentials validation need not be duplicated across two methods.- Parameters:
username
- The username to retrieveauthentication
- The authentication request, which subclasses may need to perform a binding-based retrieval of theUserDetails
- Returns:
- the user information (never
null
- instead an exception should the thrown) - Throws:
AuthenticationException
- if the credentials could not be validated (generally aBadCredentialsException
, anAuthenticationServiceException
orUsernameNotFoundException
)
-
setForcePrincipalAsString
public void setForcePrincipalAsString(boolean forcePrincipalAsString) -
setHideUserNotFoundExceptions
public void setHideUserNotFoundExceptions(boolean hideUserNotFoundExceptions) By default theAbstractUserDetailsAuthenticationProvider
throws aBadCredentialsException
if a username is not found or the password is incorrect. Setting this property tofalse
will causeUsernameNotFoundException
s to be thrown instead for the former. Note this is considered less secure than throwingBadCredentialsException
for both exceptions.- Parameters:
hideUserNotFoundExceptions
- set tofalse
if you wishUsernameNotFoundException
s to be thrown instead of the non-specificBadCredentialsException
(defaults totrue
)
-
setMessageSource
public void setMessageSource(org.springframework.context.MessageSource messageSource) - Specified by:
setMessageSource
in interfaceorg.springframework.context.MessageSourceAware
-
setUserCache
-
supports
Description copied from interface:AuthenticationProvider
Returnstrue
if thisAuthenticationProvider
supports the indicatedAuthentication
object.Returning
true
does not guarantee anAuthenticationProvider
will be able to authenticate the presented instance of theAuthentication
class. It simply indicates it can support closer evaluation of it. AnAuthenticationProvider
can still returnnull
from theAuthenticationProvider.authenticate(Authentication)
method to indicate anotherAuthenticationProvider
should be tried.Selection of an
AuthenticationProvider
capable of performing authentication is conducted at runtime theProviderManager
.- Specified by:
supports
in interfaceAuthenticationProvider
- Returns:
true
if the implementation can more closely evaluate theAuthentication
class presented
-
getPreAuthenticationChecks
-
setPreAuthenticationChecks
Sets the policy will be used to verify the status of the loaded UserDetails before validation of the credentials takes place.- Parameters:
preAuthenticationChecks
- strategy to be invoked prior to authentication.
-
getPostAuthenticationChecks
-
setPostAuthenticationChecks
-
setAuthoritiesMapper
-