Skip to content

feature: a callback interface allowing customization of UserDetailsService#loadUserByUsername

Nicholas Blair requested to merge npblair/uw-spring-security:userdetailsservice-callback into master

This pull request adds a callback interface that allows downstream projects to participate in one of the core Spring Security components of the local-users profile: the UserDetailsService.

During an authentication attempt, UserDetailsService#loadUserByUsername is used by Spring Security to first check if a User object exists for the username in the credentials. If no User object is found, no further credential check takes place; if a User object is found, other Spring Security components go about comparing the provided credentials in the authentication attempt to that object.

We have a use case in DoIT Number that is driving the need for this. DoIT Number has a custom UWUserDetails class that has some additional fields stored behind a DAO. If we didn't have this customization, DoIT Number would need to sub-class LocalUserDetailsManagerImpl, then somehow exclude that bean from the UWSpringSecurityConfiguration - not trivially possible.

The existing LocalUserDetailsAttributesMapper interface has a lifecycle that's not conducive to this type of request. Implementations of that interface are executed during application startup - and it is possible that the DAO may not be fully constructed at the time it's queried. We need a callback that fires at time of authentication attempt - not startup.

With this pull request, DoIT Number will simply have to register a Spring Bean as follows to query that DAO and attach the necessary data to their custom UWUserDetails class as part of UserDetailsService#loadUserByUsername:

@Component
class DNumberLocalUWUserDetailsCallback implements LocalUWUserDetailsCallback<DNumberUserDetailsImpl> {

  @Autowired
  private ControlDao controlDao;

  public void success(DNumberUserDetailsImpl userDetails) {
    userDetails.setControls(controlDao.getControls(userDetails.getUsername()));
  }
}

This type of feature is only needed for local-users and not for preauth. The PreauthenticatedUserDetailsAttributeMapper interface has a lifecycle already similar to LocalUWUserDetailsCallback (firing on authentication attempt, not startup).

Notify @alundholm

Merge request reports