Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Spring Security With Spring Boot 2.0: UserDetailsService

DZone's Guide to

Spring Security With Spring Boot 2.0: UserDetailsService

Perhaps the most important part of using Spring Security to secure your Spring application is actually checking a user's credentials.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

As we have seen in a previous post, the username and password for our Spring application was configured through environmental variables. This is OK for prototype purposes, but in real life scenarios, we have to provide another way to make the users eligible to log into the application.

To do so, we use the UserDetailsService Interface.

The user details service comes with the loadUserByUsername function. The loadUserByUsername locates the user based on the username. The result of the search, if existing, then validates the credentials given through the login form with the user information retrieved through the UserDetailsService.

So let's start with a very simple custom user details service.

@Service
public class UserDetailsServiceImpl implements UserDetailsService {

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

        if(username.equals("test")) {

            return User.withDefaultPasswordEncoder()
                       .username("test")
                       .password("test")
                       .roles("test")
                       .build();
        } else {
            return null;
        }
    }
}


As you can see, the only user who is able to login is the one with the username test. Also, Spring provides us with a builder when it comes to user details. As a password encoder, we have specified the default password encoder, which is actually an encoder that does no password hashing at all since we provide the password clear-text.

Although the password encoder will be covered in another tutorial, it is always good to remind you that you should always hash the password stored in a database for security reasons.

Now, do you need to add any extra information? Well no. Just having a bean that implements the UserDetailsService, in your Spring context, is enough. Spring Security will pick the UserDetailsService implementation you provided, and this will be used to authenticate.

For example, you can even provide the UserDetailsService by using the @Bean Configuration.

@Configuration
public class SecurityConfig {

    @Bean
    public UserDetailsService createUserDetailsService() {
        return new UserDetailsServiceImpl();
    }

}


This way, regardless of where your store your user information — whether it is on a SQL database, a NoSQL database, or even a CSV file — the only thing that you have to do in your loadUserByUsername is load the user and pass them back by creating a UserDetails object.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,spring security ,authentication ,spring boot 2.0 ,userdetailsservice ,tutorial

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}