I have a custom UserDetailsService as follows:
@Service
public class AuthenticatedUserService implements UserDetailsService {
private final UserRepository userRepository;
@Autowired
public AuthenticatedUserService(UserRepository userRepository) {
this.userRepository = userRepository;
}
@Override
public UserDetails loadUserByUsername(String username) {
UserCredentials userCredentials = userRepository.findByUsername(username);
if (userCredentials == null) {
throw new UsernameNotFoundException("The user " + username + " does not exist");
}
return new AuthenticatedPrincipal(userCredentials);
}
}
My AuthenticatedPrincipal looks like this:
public class AuthenticatedPrincipal implements UserDetails {
private UserCredentials userCredentials;
public AuthenticatedPrincipal() {
}
public AuthenticatedPrincipal(UserCredentials userCredentials) {
this.userCredentials = userCredentials;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
List<GrantedAuthority> authorities = new ArrayList<>();
...
return authorities;
}
@Override
public String getPassword() {
return userCredentials.getPassword();
}
@Override
public String getUsername() {
return userCredentials.getUsername();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
I'm using my service this way:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Qualifier("authenticatedUserService")
@Autowired
private UserDetailsService userDetailsService;
@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// auth.ldapAuthentication()
auth.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder);
}
...
}
And everything works. I can login just fine. BUT I never get my custom principal. In every place a just get a plain string containing the user name. For example, I want to implement a custom SecurityExpressionRoot.
public class CustomMethodSecurityExpressionRoot
extends SecurityExpressionRoot implements MethodSecurityExpressionOperations {
public CustomMethodSecurityExpressionRoot(Authentication authentication) {
super(authentication);
}
public boolean isMember(Long OrganizationId) {
// Throws an exception, because principal is just a string
AuthenticatedPrincipal user = (AuthenticatedPrincipal) this.getPrincipal();
return false;
}
The same happens when I try to insert it into one of my controllers.
public ResponseEntity listMessages(@AuthenticationPrincipal Principal principal) {
I don't know what to do and try any more. I don't see any difference from what I've done and this tutorial, for example.
Okay, I've managed to track down and solve my issue. I am using JWT and was using a custom filter, which sets the authentication. Instead of returning a proper Authentication object, I had been using the default UsernamePasswordAuthenticationToken. To solve this, I went ahead and created my own token class:
public class TokenBasedAuthentication extends AbstractAuthenticationToken {
private final UserDetails principal;
public TokenBasedAuthentication(AuthenticatedPrincipal principal) {
super(principal.getAuthorities());
this.principal = principal;
}
@Override
public boolean isAuthenticated() {
return true;
}
@Override
public UserDetails getPrincipal() {
return principal;
}
}
Then, in my filter, I went ahead and created a proper authentication object:
AuthenticatedPrincipal userDetails = (AuthenticatedPrincipal) userDetailsService.loadUserByUsername(username);
TokenBasedAuthentication authentication = new TokenBasedAuthentication(userDetails);
SecurityContextHolder.getContext().setAuthentication(authentication);
Now I'm getting the right principal as well. Actually should have figured that out sooner, but all well, I guess.