Menu
I'm learning Spring Security and I have few quick questions respect UserDetailsService:
1- When loadUserByUsername is actually called or invoked? After authentication? Only once per login?
2- After login, will Spring put the actual logged user into httpSession?
3- Which is the recommended way to populate the collection of <GrantedAuthority> of UserDetails?
UsernamePasswordAuthenticationFilter populate after success login?
986
The UserDetailsService interface is used to retrieve user-related data. It has one method named loadUserByUsername() which can be overridden to customize the process of finding the user. It is used by the DaoAuthenticationProvider to load details about the user during authentication.
The Spring Security Architecture There are multiple filters in spring security out of which one is the Authentication Filter, which initiates the process of authentication. Once the request passes through the authentication filter, the credentials of the user are stored in the Authentication object.
We can configure spring security by editing web. xml or by extending the WebSecurityConfigurerAdapter implementation. In both the methods, we can define the providers for authentication and authorization and descriptions of application scopes that need authentication and/ or authorization.
configure. Deprecated. Used by the default implementation of authenticationManager() to attempt to obtain an AuthenticationManager . If overridden, the AuthenticationManagerBuilder should be used to specify the AuthenticationManager .
AuthenticationProvider instance in order to authenticate a user. For example, when a username and password is submitted, a UserdetailsService is called to find the password for that user to see if it is correct. It will also typically provide some other information about the user, such as the authorities and any custom fields you may want to access for a logged in user (email, for instance). That is the main usage pattern. You can grep the code to see exactly where it is called.As explained in the manual:
There is often some confusion about UserDetailsService. It is purely a DAO for user data and performs no other function other than to supply that data to other components within the framework. In particular, it does not authenticate the user, which is done by the AuthenticationManager. In many cases it makes more sense to implement AuthenticationProvider directly if you require a custom authentication process.
Yes. A SecurityContext instance is stored in the session once the user has been authenticated.
If you need to implement a custom UserDetailsService then it will depend on your requirements and how they are stored. Typically you would load them at the same time as the other user information. It's not something you would likely do in a filter. As explained in the above quotation from the manual, if you are actually implementing a different authentication mechanism then you should implement AuthenticationProvider directly. It isn't compulsory to have a UserDetailsService in your app. You can think of it as a strategy that is used by certain built-in features.
50
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
