[JAVA] Add your own authentication items with Spring Security

Overview

You may also use Spring Security when trying to implement authentication with Spring Boot. Spring Security has a mechanism to automatically authenticate if you set items at login, but basically it authenticates with a set of user name and password. I will write what to do if you want to add other items for authentication.

Assumptions, etc.

• The basic settings for implementation are based on the contents of Implementing a simple Rest API with Spring Security with Spring Boot 2.0. .. This is an easy-to-understand article that explains all aspects of Spring Security settings.
• In the above article, ʻUserDetailsServiceis used to get the user, so we will take advantage of this and implement it additionally. This time, we will implement it by usingDaoAuthenticationProvider`. I refer to the article Check extra parameters with Spring Security.

Implementation sample

Add authenticationProvider to SecurityConfig. authenticationProvider sets ʻAuthenticationProviderImpl` which is implemented independently described later. Also, set authenticationProvider in configureGlobal.

SecurityConfig.java

  @Autowired
  private AuthenticationProviderImpl authenticationProvider;
  
  @Autowired
  public void configureGlobal(
    AuthenticationManagerBuilder auth,
    @Qualifier("userService") UserDetailsService userDetailsService,
    PasswordEncoder passwordEncoder) throws Exception {

    authenticationProvider.setUserDetailsService(userDetailsService);
    authenticationProvider.setPasswordEncoder(passwordEncoder);
    auth.eraseCredentials(true)
      .authenticationProvider(authenticationProvider);
  }

AuthenticationProvider that is implemented independently. I've added a status column to the table to authenticate users who aren't ʻactive`.

AuthenticationProviderImpl.java

@Component
public class AuthenticationProviderImpl extends DaoAuthenticationProvider {
  @Override
  protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
    super.additionalAuthenticationChecks(userDetails, authentication);
    User user = (User) userDetails;

    //Additional conditions
    if (!user.getStatus().equals("active")) {
      throw new AccountStatusNotActiveException("Status is not active");
    }
  }

  public static class AccountStatusNotActiveException extends AuthenticationException {
    public AccountStatusNotActiveException(String message) {
      super(message);
    }
  }

  @Override
  protected void doAfterPropertiesSet() {}
}

Other references

• About Spring Security authentication
• Spring Security: Database Support UserDetails Service Authentication
• Incorporate your own authentication with Spring Boot
• Implement your own authentication with Spring Security