2021-08-25 13:31:00 -05:00
[[servlet-authentication-unpwd]]
= Username/Password Authentication
2021-10-28 14:02:33 -05:00
:page-section-summary-toc: 1
2021-08-25 13:31:00 -05:00
:figures: images/servlet/authentication/unpwd
:icondir: images/icons
One of the most common ways to authenticate a user is by validating a username and password.
2021-12-13 16:57:36 -06:00
Spring Security provides comprehensive support for authenticating with a username and password.
2021-08-25 13:31:00 -05:00
2023-10-13 18:09:01 -05:00
You can configure username and password authentication using the following:
.Simple Username/Password Example
[tabs]
=====
Java::
+
[source,java,role="primary"]
----
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.httpBasic(Customizer.withDefaults())
.formLogin(Customizer.withDefaults());
return http.build();
}
@Bean
public UserDetailsService userDetailsService() {
UserDetails userDetails = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(userDetails);
}
}
----
XML::
+
[source,xml,role="secondary"]
----
<http>
<intercept-url pattern="/**" access="authenticated"/>
<form-login />
<http-basic />
<user-service>
<user name="user"
password="{noop}password"
authorities="ROLE_USER" />
</user-service>
</http>
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
import org.springframework.security.config.annotation.web.invoke
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
2023-10-25 15:44:17 -05:00
authorize(anyRequest, authenticated)
2023-10-13 18:09:01 -05:00
}
formLogin { }
httpBasic { }
2023-10-25 15:44:17 -05:00
}
2023-10-13 18:09:01 -05:00
return http.build()
}
@Bean
fun userDetailsService(): UserDetailsService {
val user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build()
return InMemoryUserDetailsManager(user)
}
}
----
=====
The preceding configuration automatically registers an xref:servlet/authentication/passwords/in-memory.adoc[in-memory `UserDetailsService`] with the `SecurityFilterChain`, registers the xref:servlet/authentication/passwords/dao-authentication-provider.adoc[`DaoAuthenticationProvider`] with the default xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationmanager[`AuthenticationManager`], and enables xref:servlet/authentication/passwords/form.adoc[Form Login] and xref:servlet/authentication/passwords/basic.adoc[HTTP Basic] authentication.
To learn more about username/password authentication, consider the following use cases:
* I want to xref:servlet/authentication/passwords/form.adoc[learn how Form Login works]
* I want to xref:servlet/authentication/passwords/basic.adoc[learn how HTTP Basic authentication works]
2023-10-25 15:44:17 -05:00
* I want to xref:servlet/authentication/passwords/dao-authentication-provider.adoc[learn how `DaoAuthenticationProvider` works]
2023-10-13 18:09:01 -05:00
* I want to xref:servlet/authentication/passwords/in-memory.adoc[manage users in memory]
* I want to xref:servlet/authentication/passwords/jdbc.adoc[manage users in a database]
* I want to xref:servlet/authentication/passwords/ldap.adoc#servlet-authentication-ldap-authentication[manage users in LDAP]
2023-10-25 15:44:17 -05:00
* I want to <<publish-authentication-manager-bean,publish an `AuthenticationManager` bean>> for custom authentication
* I want to <<customize-global-authentication-manager,customize the global `AuthenticationManager`>>
2023-10-13 18:09:01 -05:00
[[publish-authentication-manager-bean]]
== Publish an `AuthenticationManager` bean
A fairly common requirement is publishing an `AuthenticationManager` bean to allow for custom authentication, such as in a `@Service` or Spring MVC `@Controller`.
For example, you may want to authenticate users via a REST API instead of using xref:servlet/authentication/passwords/form.adoc[Form Login].
You can publish such an `AuthenticationManager` for custom authentication scenarios using the following configuration:
.Publish `AuthenticationManager` bean for Custom Authentication
[tabs]
=====
Java::
+
[source,java,role="primary"]
----
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/login").permitAll()
.anyRequest().authenticated()
);
return http.build();
}
@Bean
public AuthenticationManager authenticationManager(
UserDetailsService userDetailsService,
PasswordEncoder passwordEncoder) {
2024-10-23 18:06:48 -06:00
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider(userDetailsService);
2023-10-13 18:09:01 -05:00
authenticationProvider.setPasswordEncoder(passwordEncoder);
return new ProviderManager(authenticationProvider);
}
@Bean
public UserDetailsService userDetailsService() {
UserDetails userDetails = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(userDetails);
}
@Bean
public PasswordEncoder passwordEncoder() {
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
}
----
XML::
+
[source,xml,role="secondary"]
----
<http>
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/**" access="authenticated"/>
<bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<constructor-arg>
<bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
<property name="passwordEncoder" ref="passwordEncoder" />
</bean>
</constructor-arg>
</bean>
<user-service id="userDetailsService">
<user name="user"
password="{noop}password"
authorities="ROLE_USER" />
</user-service>
<bean id="passwordEncoder"
2023-10-25 15:44:17 -05:00
class="org.springframework.security.crypto.factory.PasswordEncoderFactories" factory-method="createDelegatingPasswordEncoder"/>
2023-10-13 18:09:01 -05:00
</http>
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
2023-10-25 15:44:17 -05:00
import org.springframework.security.config.annotation.web.invoke
2023-10-13 18:09:01 -05:00
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
2023-10-25 15:44:17 -05:00
authorize("/login", permitAll)
2023-10-13 18:09:01 -05:00
authorize(anyRequest, authenticated)
}
}
return http.build()
}
@Bean
fun authenticationManager(
userDetailsService: UserDetailsService,
passwordEncoder: PasswordEncoder): AuthenticationManager {
2024-10-23 18:06:48 -06:00
val authenticationProvider = DaoAuthenticationProvider(userDetailsService)
2023-10-13 18:09:01 -05:00
authenticationProvider.setPasswordEncoder(passwordEncoder)
return ProviderManager(authenticationProvider)
}
@Bean
fun userDetailsService(): UserDetailsService {
val user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build()
return InMemoryUserDetailsManager(user)
}
@Bean
fun passwordEncoder(): PasswordEncoder {
return PasswordEncoderFactories.createDelegatingPasswordEncoder()
}
}
----
=====
With the preceding configuration in place, you can create a `@RestController` that uses the `AuthenticationManager` as follows:
.Create a `@RestController` for Authentication
[tabs]
=====
Java::
+
[source,java,role="primary"]
----
@RestController
public class LoginController {
private final AuthenticationManager authenticationManager;
public LoginController(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@PostMapping("/login")
public ResponseEntity<Void> login(@RequestBody LoginRequest loginRequest) {
Authentication authenticationRequest =
UsernamePasswordAuthenticationToken.unauthenticated(loginRequest.username(), loginRequest.password());
Authentication authenticationResponse =
this.authenticationManager.authenticate(authenticationRequest);
// ...
}
public record LoginRequest(String username, String password) {
}
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@RestController
class LoginController(val authenticationManager: AuthenticationManager) {
@PostMapping("/login")
fun login(@RequestBody loginRequest: LoginRequest): ResponseEntity<Void> {
val authenticationRequest =
UsernamePasswordAuthenticationToken.unauthenticated(
loginRequest.username, loginRequest.password)
val authenticationResponse =
authenticationManager.authenticate(authenticationRequest)
// ...
}
data class LoginRequest(val username: String, val password: String)
}
----
=====
[NOTE]
====
In this example, it is your responsibility to save the authenticated user in the `SecurityContextRepository` if needed.
For example, if using the `HttpSession` to persist the `SecurityContext` between requests, you can use xref:servlet/authentication/persistence.adoc#httpsecuritycontextrepository[`HttpSessionSecurityContextRepository`].
====
[[customize-global-authentication-manager]]
== Customize the `AuthenticationManager`
Normally, Spring Security builds an `AuthenticationManager` internally composed of a `DaoAuthenticationProvider` for username/password authentication.
In certain cases, it may still be desired to customize the instance of `AuthenticationManager` used by Spring Security.
For example, you may need to simply disable xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager-erasing-credentials[credential erasure] for cached users.
2024-09-13 16:06:01 -05:00
To do this, you can take advantage of the fact that the `AuthenticationManagerBuilder` used to build Spring Security's global `AuthenticationManager` is published as a bean.
You can configure the builder as follows:
.Configure global `AuthenticationManagerBuilder`
[tabs]
=====
Java::
+
[source,java,role="primary"]
----
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// ...
return http.build();
}
@Bean
public UserDetailsService userDetailsService() {
// Return a UserDetailsService that caches users
// ...
}
@Autowired
public void configure(AuthenticationManagerBuilder builder) {
builder.eraseCredentials(false);
}
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
import org.springframework.security.config.annotation.web.invoke
2023-10-13 18:09:01 -05:00
2024-09-13 16:06:01 -05:00
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
// ...
return http.build()
}
@Bean
fun userDetailsService(): UserDetailsService {
// Return a UserDetailsService that caches users
// ...
}
@Autowired
fun configure(builder: AuthenticationManagerBuilder) {
builder.eraseCredentials(false)
}
}
----
=====
Alternatively, you may configure a local `AuthenticationManager` to override the global one.
.Configure local `AuthenticationManager` for Spring Security
2023-10-13 18:09:01 -05:00
[tabs]
=====
Java::
+
[source,java,role="primary"]
----
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.httpBasic(Customizer.withDefaults())
2024-09-13 16:06:01 -05:00
.formLogin(Customizer.withDefaults())
.authenticationManager(authenticationManager());
2023-10-13 18:09:01 -05:00
return http.build();
}
2024-09-13 16:06:01 -05:00
private AuthenticationManager authenticationManager() {
2023-10-13 18:09:01 -05:00
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
2024-09-13 16:06:01 -05:00
authenticationProvider.setUserDetailsService(userDetailsService());
authenticationProvider.setPasswordEncoder(passwordEncoder());
2023-10-13 18:09:01 -05:00
ProviderManager providerManager = new ProviderManager(authenticationProvider);
providerManager.setEraseCredentialsAfterAuthentication(false);
return providerManager;
}
2024-09-13 16:06:01 -05:00
private UserDetailsService userDetailsService() {
2023-10-13 18:09:01 -05:00
UserDetails userDetails = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(userDetails);
}
2024-09-13 16:06:01 -05:00
private PasswordEncoder passwordEncoder() {
2023-10-13 18:09:01 -05:00
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
}
----
XML::
+
[source,xml,role="secondary"]
----
2024-09-13 16:06:01 -05:00
<http authentication-manager-ref="authenticationManager">
2023-10-13 18:09:01 -05:00
<intercept-url pattern="/**" access="authenticated"/>
<form-login />
<http-basic />
<bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<constructor-arg>
<bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
<property name="passwordEncoder" ref="passwordEncoder" />
</bean>
</constructor-arg>
</bean>
<user-service id="userDetailsService">
<user name="user"
password="{noop}password"
authorities="ROLE_USER" />
</user-service>
<bean id="passwordEncoder"
2023-10-25 15:44:17 -05:00
class="org.springframework.security.crypto.factory.PasswordEncoderFactories" factory-method="createDelegatingPasswordEncoder"/>
2023-10-13 18:09:01 -05:00
</http>
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
2023-10-25 15:44:17 -05:00
import org.springframework.security.config.annotation.web.invoke
2023-10-13 18:09:01 -05:00
@Configuration
@EnableWebSecurity
2023-10-25 15:44:17 -05:00
class SecurityConfig {
2023-10-13 18:09:01 -05:00
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
formLogin { }
httpBasic { }
2024-09-13 16:06:01 -05:00
authenticationManager = authenticationManager()
2023-10-13 18:09:01 -05:00
}
return http.build()
}
@Bean
2024-09-13 16:06:01 -05:00
fun authenticationManager(): AuthenticationManager {
2024-10-23 18:06:48 -06:00
val authenticationProvider = DaoAuthenticationProvider(userDetailsService())
2024-09-13 16:06:01 -05:00
authenticationProvider.setPasswordEncoder(passwordEncoder())
2023-10-13 18:09:01 -05:00
val providerManager = ProviderManager(authenticationProvider)
providerManager.eraseCredentialsAfterAuthentication = false
return providerManager
}
2024-09-13 16:06:01 -05:00
private fun userDetailsService(): UserDetailsService {
2023-10-13 18:09:01 -05:00
val user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build()
return InMemoryUserDetailsManager(user)
}
2024-09-13 16:06:01 -05:00
private fun passwordEncoder(): PasswordEncoder {
2023-10-13 18:09:01 -05:00
return PasswordEncoderFactories.createDelegatingPasswordEncoder()
}
}
----
=====
