1
1
.
.
1
1
.
.
1
1
1
1
S
S
e
e
c
c
u
u
r
r
i
i
t
t
y
y
-
-
U
U
s
s
e
e
r
r
D
D
e
e
t
t
a
a
i
i
l
l
s
s
S
S
e
e
r
r
v
v
i
i
c
c
e
e
v
v
s
s
A
A
u
u
t
t
h
h
e
e
n
n
t
t
i
i
c
c
a
a
t
t
i
i
o
o
n
n
M
M
a
a
n
n
a
a
g
g
e
e
r
r
I
I
n
n
f
f
o
o
UserDetailsService uses enteredUsername to return UserDetails Object with storedPassword & authorities
AuthenticationManager uses enteredUsername & enteredPassword to return Authenticate Object if passwords match
UserDetails Object is DTO used to transfer Username, Password & Authorities from DB into Authenticate Object
Authenticate Object is used by Spring Security to control access to Endpoints using authorities and authenticated.
Authentication Process
U
U
s
s
e
e
r
r
D
D
e
e
t
t
a
a
i
i
l
l
s
s
S
S
e
e
r
r
v
v
i
i
c
c
e
e
UserDetailsService is used to get storedPassword for given enteredUsername
UserDetailsService only gets enteredUsername as input parameter
Then it looks for the User with that username in the Database
If such storedUsername exists it gets related storedPassword
Then it stores storedUsername, storedPassword and authorities in returned UserDetails Object
UserDetailsService doesn't know about enteredPassword and therefore it can't Authenticate the User.
Instead returned UserDetails Object will be used by AuthenticationManager to compare enteredPassword with the
storedPassword in returned UserDetails Object.
UserDetailsService
Authentication
Manager
Calling
Code
Controller
Service
Filter
Compare
enteredPassword
storedPassword
enteredUsername
DB
Authenticate
enteredUsername
enteredPassword
A
A
u
u
t
t
h
h
e
e
n
n
t
t
i
i
c
c
a
a
t
t
i
i
o
o
n
n
M
M
a
a
n
n
a
a
g
g
e
e
r
r
AuthenticationManager is used to compare
enteredPassword with the
storedPassword in UserDetails Object (that was returned by UserDetailsService)
AuthenticationManager
is called with Authentication Object as Input Parameter that contains enteredUsername and enteredPassword
calls UserDetailsService with enteredUsername
from UserDetailsService it gets UserDetails Object with storedPassword and authorities
compares enteredPassword with storedPassword
If passwords match User is considered Authenticated and AuthenticationManager returns Authentication Object with
storedUsername
storedPassword
authorities (also taken from UserDetails Object)
authenticated = true
Returned Authentication Object is accepted by the code that called AuthenticationManager. That calling code can now
store Authentication Object into Context/Session
return JWT token
U
U
s
s
e
e
r
r
D
D
e
e
t
t
a
a
i
i
l
l
s
s
v
v
s
s
A
A
u
u
t
t
h
h
e
e
n
n
t
t
i
i
c
c
a
a
t
t
e
e
At the end of the day UserDetails and Authenticate Objects might contain same data: Username, Password, Authorities.
But it is the Authenticate Object from which Spring Security will use Authorities to control access to Restricted Resources.
Since Authenticate Object also has Boolean authenticated which must be true for Spring to even look at Authorities.
UserDetails Object as DTO was just used as a temporary storage for Username, Password and Authorities as they make
their way from Database into Authenticate Object.
But UserDetails Object can also contain some additional User data that are not used for Authorization and will not be
transferred to Authenticate Object. In that case it makes sense to have them both inside Context.