Package org.springframework.security.authentication

Class UsernamePasswordAuthenticationToken

java.lang.Object
org.springframework.security.authentication.AbstractAuthenticationToken
org.springframework.security.authentication.UsernamePasswordAuthenticationToken
All Implemented Interfaces:
Serializable, Principal, Authentication, CredentialsContainer
Direct Known Subclasses:
JaasAuthenticationToken, KerberosUsernamePasswordAuthenticationToken
public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken
An Authentication implementation that is designed for simple presentation of a username and password.

The principal and credentials should be set with an Object that provides the respective property via its Object.toString() method. The simplest such Object to use is String.

See Also:

  • Constructor Details

    • UsernamePasswordAuthenticationToken

      public UsernamePasswordAuthenticationToken(@Nullable Object principal, @Nullable Object credentials)
      This constructor can be safely used by any code that wishes to create a UsernamePasswordAuthenticationToken, as the AbstractAuthenticationToken.isAuthenticated() will return false.

    • UsernamePasswordAuthenticationToken

      public UsernamePasswordAuthenticationToken(Object principal, @Nullable Object credentials, Collection<? extends GrantedAuthority> authorities)
      This constructor should only be used by AuthenticationManager or AuthenticationProvider implementations that are satisfied with producing a trusted (i.e. AbstractAuthenticationToken.isAuthenticated() = true) authentication token.
      Parameters:
      principal -
      credentials -
      authorities -

    • UsernamePasswordAuthenticationToken

      protected UsernamePasswordAuthenticationToken(UsernamePasswordAuthenticationToken.Builder<?> builder)

  • Method Details

    • unauthenticated

      public static UsernamePasswordAuthenticationToken unauthenticated(@Nullable Object principal, @Nullable Object credentials)
      This factory method can be safely used by any code that wishes to create a unauthenticated UsernamePasswordAuthenticationToken.
      Parameters:
      principal -
      credentials -
      Returns:
      UsernamePasswordAuthenticationToken with false isAuthenticated() result
      Since:
      5.7

    • authenticated

      public static UsernamePasswordAuthenticationToken authenticated(Object principal, @Nullable Object credentials, Collection<? extends GrantedAuthority> authorities)
      This factory method can be safely used by any code that wishes to create a authenticated UsernamePasswordAuthenticationToken.
      Parameters:
      principal -
      credentials -
      Returns:
      UsernamePasswordAuthenticationToken with true isAuthenticated() result
      Since:
      5.7

    • getCredentials

      public @Nullable Object getCredentials()
      Description copied from interface: Authentication
      The credentials that prove the principal is correct. This is usually a password, but could be anything relevant to the AuthenticationManager. Callers are expected to populate the credentials.
      Returns:
      the credentials that prove the identity of the Principal

    • getPrincipal

      public @Nullable Object getPrincipal()
      Description copied from interface: Authentication
      The identity of the principal being authenticated. In the case of an authentication request with username and password, this would be the username. Callers are expected to populate the principal for an authentication request.

      The AuthenticationManager implementation will often return an Authentication containing richer information as the principal for use by the application. Many of the authentication providers will create a UserDetails object as the principal.

      Returns:
      the Principal being authenticated or the authenticated principal after authentication.

    • setAuthenticated

      public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException
      Description copied from interface: Authentication
      See Authentication.isAuthenticated() for a full description.

      Implementations should always allow this method to be called with a false parameter, as this is used by various classes to specify the authentication token should not be trusted. If an implementation wishes to reject an invocation with a true parameter (which would indicate the authentication token is trusted - a potential security risk) the implementation should throw an IllegalArgumentException.

      Specified by:
      setAuthenticated in interface Authentication
      Overrides:
      setAuthenticated in class AbstractAuthenticationToken
      Parameters:
      isAuthenticated - true if the token should be trusted (which may result in an exception) or false if the token should not be trusted
      Throws:
      IllegalArgumentException - if an attempt to make the authentication token trusted (by passing true as the argument) is rejected due to the implementation being immutable or implementing its own alternative approach to Authentication.isAuthenticated()

    • eraseCredentials

      public void eraseCredentials()
      Description copied from class: AbstractAuthenticationToken
      Checks the credentials, principal and details objects, invoking the eraseCredentials method on any which implement CredentialsContainer.
      Specified by:
      eraseCredentials in interface CredentialsContainer
      Overrides:
      eraseCredentials in class AbstractAuthenticationToken

    • toBuilder

      public UsernamePasswordAuthenticationToken.Builder<?> toBuilder()
      Description copied from interface: Authentication
      Return an Authentication.Builder based on this instance. By default, returns a builder that builds a SimpleAuthentication.

      Although a default method, all Authentication implementations should implement this. The reason is to ensure that the Authentication type is preserved when Authentication.Builder.build() is invoked. This is especially important in the event that your authentication implementation contains custom fields.

      This isn't strictly necessary since it is recommended that applications code to the Authentication interface and that custom information is often contained in the Authentication.getPrincipal() value.

      Returns:
      an Authentication.Builder for building a new Authentication based on this instance