1
1
.
.
1
1
.
.
1
1
1
1
S
S
e
e
c
c
u
u
r
r
i
i
t
t
y
y
-
-
U
U
s
s
e
e
r
r
D
D
e
e
t
t
a
a
i
i
l
l
s
s
S
S
e
e
r
r
v
v
i
i
c
c
e
e
v
v
s
s
A
A
u
u
t
t
h
h
e
e
n
n
t
t
i
i
c
c
a
a
t
t
i
i
o
o
n
n
M
M
a
a
n
n
a
a
g
g
e
e
r
r
I
I
n
n
f
f
o
o
UserDetailsService uses enteredUsername to return UserDetails Object with storedPassword & authorities
AuthenticationManager uses enteredUsername & enteredPassword to return Authenticate Object if passwords match
UserDetails Object is DTO used to transfer Username, Password & Authorities from DB into Authenticate Object
Authenticate Object is used by Spring Security to control access to Endpoints using authorities and authenticated.
Authentication Process
U
U
s
s
e
e
r
r
D
D
e
e
t
t
a
a
i
i
l
l
s
s
S
S
e
e
r
r
v
v
i
i
c
c
e
e
UserDetailsService is used to get storedPassword for given enteredUsername
● UserDetailsService only gets enteredUsername as input parameter
● Then it looks for the User with that username in the Database
● If such storedUsername exists it gets related storedPassword
● Then it stores storedUsername, storedPassword and authorities in returned UserDetails Object
UserDetailsService doesn't know about enteredPassword and therefore it can't Authenticate the User.
Instead returned UserDetails Object will be used by AuthenticationManager to compare enteredPassword with the
storedPassword in returned UserDetails Object.
UserDetailsService
Authentication
Manager
Calling
Code
Controller
Service
Filter
Compare
enteredPassword
storedPassword
enteredUsername
DB
Authenticate
storedUsername
storedPassword
authorities
authenticated
UserDetails
storedUsername
storedPassword
authorities
Authenticate
enteredUsername
enteredPassword
A
A
u
u
t
t
h
h
e
e
n
n
t
t
i
i
c
c
a
a
t
t
i
i
o
o
n
n
M
M
a
a
n
n
a
a
g
g
e
e
r
r
AuthenticationManager is used to compare
● enteredPassword with the
● storedPassword in UserDetails Object (that was returned by UserDetailsService)
AuthenticationManager
● is called with Authentication Object as Input Parameter that contains enteredUsername and enteredPassword
● calls UserDetailsService with enteredUsername
● from UserDetailsService it gets UserDetails Object with storedPassword and authorities
● compares enteredPassword with storedPassword
● If passwords match User is considered Authenticated and AuthenticationManager returns Authentication Object with
○ storedUsername
○ storedPassword
○ authorities (also taken from UserDetails Object)
○ authenticated = true
Returned Authentication Object is accepted by the code that called AuthenticationManager. That calling code can now
● store Authentication Object into Context/Session
● return JWT token
U
U
s
s
e
e
r
r
D
D
e
e
t
t
a
a
i
i
l
l
s
s
v
v
s
s
A
A
u
u
t
t
h
h
e
e
n
n
t
t
i
i
c
c
a
a
t
t
e
e
At the end of the day UserDetails and Authenticate Objects might contain same data: Username, Password, Authorities.
But it is the Authenticate Object from which Spring Security will use Authorities to control access to Restricted Resources.
Since Authenticate Object also has Boolean authenticated which must be true for Spring to even look at Authorities.
UserDetails Object as DTO was just used as a temporary storage for Username, Password and Authorities as they make
their way from Database into Authenticate Object.
But UserDetails Object can also contain some additional User data that are not used for Authorization and will not be
transferred to Authenticate Object. In that case it makes sense to have them both inside Context.
