[[nsa-authentication]] = Authentication Services Before Spring Security 3.0, an `AuthenticationManager` was automatically registered internally. Now you must register one explicitly using the `` element. This creates an instance of Spring Security's `ProviderManager` class, which needs to be configured with a list of one or more `AuthenticationProvider` instances. These can either be created using syntax elements provided by the namespace, or they can be standard bean definitions, marked for addition to the list using the `authentication-provider` element. [[nsa-authentication-manager]] == Every Spring Security application which uses the namespace must have include this element somewhere. It is responsible for registering the `AuthenticationManager` which provides authentication services to the application. All elements which create `AuthenticationProvider` instances should be children of this element. [[nsa-authentication-manager-attributes]] === Attributes [[nsa-authentication-manager-alias]] * **alias** This attribute allows you to define an alias name for the internal instance for use in your own configuration. [[nsa-authentication-manager-erase-credentials]] * **erase-credentials** If set to true, the AuthenticationManager will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated. Literally it maps to the `eraseCredentialsAfterAuthentication` property of the xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager[`ProviderManager`]. [[nsa-authentication-manager-id]] * **id** This attribute allows you to define an id for the internal instance for use in your own configuration. It is the same as the alias element, but provides a more consistent experience with elements that use the id attribute. [[nsa-authentication-manager-children]] === Child Elements of * <> * xref:servlet/appendix/namespace/ldap.adoc#nsa-ldap-authentication-provider[ldap-authentication-provider] [[nsa-authentication-provider]] == Unless used with a `ref` attribute, this element is shorthand for configuring a `DaoAuthenticationProvider`. `DaoAuthenticationProvider` loads user information from a `UserDetailsService` and compares the username/password combination with the values supplied at login. The `UserDetailsService` instance can be defined either by using an available namespace element (`jdbc-user-service` or by using the `user-service-ref` attribute to point to a bean defined elsewhere in the application context). [[nsa-authentication-provider-parents]] === Parent Elements of * <> [[nsa-authentication-provider-attributes]] === Attributes [[nsa-authentication-provider-ref]] * **ref** Defines a reference to a Spring bean that implements `AuthenticationProvider`. If you have written your own `AuthenticationProvider` implementation (or want to configure one of Spring Security's own implementations as a traditional bean for some reason, then you can use the following syntax to add it to the internal list of `ProviderManager`: [source,xml] ----

---- [[nsa-authentication-provider-user-service-ref]] * **user-service-ref** A reference to a bean that implements UserDetailsService that may be created using the standard bean element or the custom user-service element. [[nsa-authentication-provider-children]] === Child Elements of * <> * xref:servlet/appendix/namespace/ldap.adoc#nsa-ldap-user-service[ldap-user-service] * <> * <> [[nsa-jdbc-user-service]] == Causes creation of a JDBC-based UserDetailsService. [[nsa-jdbc-user-service-attributes]] === Attributes [[nsa-jdbc-user-service-authorities-by-username-query]] * **authorities-by-username-query** An SQL statement to query for a user's granted authorities given a username. The default is [source] ---- select username, authority from authorities where username = ? ---- [[nsa-jdbc-user-service-cache-ref]] * **cache-ref** Defines a reference to a cache for use with a UserDetailsService. [[nsa-jdbc-user-service-data-source-ref]] * **data-source-ref** The bean ID of the DataSource which provides the required tables. [[nsa-jdbc-user-service-group-authorities-by-username-query]] * **group-authorities-by-username-query** An SQL statement to query user's group authorities given a username. The default is + [source] ---- select g.id, g.group_name, ga.authority from groups g, group_members gm, group_authorities ga where gm.username = ? and g.id = ga.group_id and g.id = gm.group_id ---- [[nsa-jdbc-user-service-id]] * **id** A bean identifier, used for referring to the bean elsewhere in the context. [[nsa-jdbc-user-service-role-prefix]] * **role-prefix** A non-empty string prefix that will be added to role strings loaded from persistent storage (default is "ROLE_"). Use the value "none" for no prefix in cases where the default is non-empty. [[nsa-jdbc-user-service-users-by-username-query]] * **users-by-username-query** An SQL statement to query a username, password, and enabled status given a username. The default is + [source] ---- select username, password, enabled from users where username = ? ---- [[nsa-password-encoder]] == Authentication providers can optionally be configured to use a password encoder as described in the xref:features/authentication/password-storage.adoc#authentication-password-storage[Password Storage]. This will result in the bean being injected with the appropriate `PasswordEncoder` instance. [[nsa-password-encoder-parents]] === Parent Elements of * <> * xref:servlet/appendix/namespace/authentication-manager.adoc#nsa-password-compare[password-compare] [[nsa-password-encoder-attributes]] === Attributes [[nsa-password-encoder-hash]] * **hash** Defines the hashing algorithm used on user passwords. We recommend strongly against using MD4, as it is a very weak hashing algorithm. [[nsa-password-encoder-ref]] * **ref** Defines a reference to a Spring bean that implements `PasswordEncoder`. [[nsa-user-service]] == Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements. Usernames are converted to lower-case internally to allow for case-insensitive lookups, so this should not be used if case-sensitivity is required. [[nsa-user-service-attributes]] === Attributes [[nsa-user-service-id]] * **id** A bean identifier, used for referring to the bean elsewhere in the context. [[nsa-user-service-properties]] * **properties** The location of a Properties file where each line is in the format of + [source] ---- username=password,grantedAuthority[,grantedAuthority][,enabled|disabled] ---- [[nsa-user-service-children]] === Child Elements of * <> [[nsa-user]] == Represents a user in the application. [[nsa-user-parents]] === Parent Elements of * <> [[nsa-user-attributes]] === Attributes [[nsa-user-authorities]] * **authorities** One of more authorities granted to the user. Separate authorities with a comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR" [[nsa-user-disabled]] * **disabled** Can be set to "true" to mark an account as disabled and unusable. [[nsa-user-locked]] * **locked** Can be set to "true" to mark an account as locked and unusable. [[nsa-user-name]] * **name** The username assigned to the user. [[nsa-user-password]] * **password** The password assigned to the user. This may be hashed if the corresponding authentication provider supports hashing (remember to set the "hash" attribute of the "user-service" element). This attribute be omitted in the case where the data will not be used for authentication, but only for accessing authorities. If omitted, the namespace will generate a random value, preventing its accidental use for authentication. Cannot be empty.