0

I am using spring security in my project and I do aware that the provided interface UserDetailsService is just like the normal interfaces we wrote, but I want to know is there any special purpose behind that the Spring people provide this interface containing single method?

What I observed that, we pass the Implementation class to the method userDetailsService() of AuthenticationBuilderManager, so we do not need to bother to invoke service explicitly in the controller.

Apart from this is there any other benefits ?

user9634982
  • 565
  • 5
  • 24
  • we use interfaces in java so we can use polymorphism. Same function name but different implementations. We call that one method and the implemented class can either call a database, an ldap server, or an in memory database, or any another service etc. https://stackoverflow.com/questions/3528420/why-do-we-need-interfaces-in-java – Toerktumlare Jun 02 '21 at 01:10
  • if you read the api https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/core/userdetails/UserDetailsService.html you can see all the implementations `CachingUserDetailsService, InMemoryUserDetailsManager, JdbcDaoImpl, JdbcUserDetailsManager, LdapUserDetailsManager, LdapUserDetailsService` – Toerktumlare Jun 02 '21 at 01:12
  • I know the core concepts well, but my question is still unanswered, if we can able to write services, then there is something special, then only Spring people provides us this Interface – user9634982 Jun 02 '21 at 11:13
  • i dont understand what you are saying? what do you mean there is something special? `then only Spring people provides us this Interface` that sentence makes no sense as it is not proper english. – Toerktumlare Jun 02 '21 at 12:17
  • I mean to say, we can able to write our own services right? then why Spring community provides UserDetailsService separately ? is there special something about this interface? – user9634982 Jun 02 '21 at 12:20
  • what do you mean by service? `UserDetailsService` is where you write your implementation if you have some special need in how you want to fetch the user from what ever user storage you have. For instance if you have a custom table schema in your db. Or you are storing users in a file, or you are storing the users in another service so you need to to a rest call somewhere. etc. – Toerktumlare Jun 02 '21 at 12:24
  • The `AuthenticationProvider` does the authentication for you, but you then have the ability to provide a custom written `UserDetailsService` (if you are not using one of the default ones) that declares where you want to fetch the user object from and build a `UserDetails`object that spring will use during authentication and eventually end up in the `Principal`. – Toerktumlare Jun 02 '21 at 12:24
  • here you can read about it https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-authentication-userdetailsservice – Toerktumlare Jun 02 '21 at 12:30

1 Answers1

1

The UserDetailsService interface is used by DaoAuthenticationProvider for retrieving a username, password, and other attributes for authenticating with a username and password. The benefit of having a core interface for that is that users can define their own way to retrieve the UserDetails, and Spring Security just needs a @Bean of that type.

For example:

@Bean
UserDetailsService customUserDetailsService() {
    return new FileSystemUserDetailsService();
}

Spring Security does not need to be aware that you are loading users from the OS file system since all it requires is that you provide a @Bean of the UserDetailsService type. This way it simplifies support for new data-access strategies. There are more details in the Spring Security docs.

Marcus Hert da Coregio
  • 4,635
  • 9
  • 27