How to Manually Authenticate User with Spring Security

1. Overview

In this quick article, we’ll focus on how to programmatically set an authenticated user in Spring Security and Spring MVC.

2. Spring Security

Simply put, Spring Security hold the principal information of each authenticated user in a ThreadLocal – represented as an Authentication object.

In order to construct and set this Authentication object – we need to use the same approach Spring Security typically uses to build the object on a standard authentication.

To, let’s manually trigger authentication and then set the resulting Authentication object into the current SecurityContext used by the framework to hold the currently logged-in user:

UsernamePasswordAuthenticationToken authReq
 = new UsernamePasswordAuthenticationToken(user, pass);
Authentication auth = authManager.authenticate(authReq);
SecurityContext sc = SecurityContextHolder.getContext();
sc.setAuthentication(auth);

After setting the Authentication in the context, we’ll now be able to check if the current user is authenticated – using securityContext.getAuthentication().isAuthenticated().

3. Spring MVC

By default, Spring Security adds an additional filter in the Spring Security filter chain – which is capable of persisting the Security Context (SecurityContextPersistenceFilter class).

In turn, it delegates the persistence of the Security Context to an instance of SecurityContextRepository, defaulting to the HttpSessionSecurityContextRepository class.

So, in order to set the authentication on the request and hence, make it available for all subsequent requests from the client, we need to manually set the SecurityContext containing the Authentication in the HTTP session:

public void login(HttpServletRequest req, String user, String pass) { 
    UsernamePasswordAuthenticationToken authReq
      = new UsernamePasswordAuthenticationToken(user, pass);
    Authentication auth = authManager.authenticate(authReq);
    
    SecurityContext sc = SecurityContextHolder.getContext();
    sc.setAuthentication(auth);
    HttpSession session = req.getSession(true);
    session.setAttribute(SPRING_SECURITY_CONTEXT_KEY, sc);
}

SPRING_SECURITY_CONTEXT_KEY is a statically imported HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY.

It should be noted that we can’t directly use the HttpSessionSecurityContextRepository – because it works in conjunction with the SecurityContextPersistenceFilter.

That is because the filter uses the repository in order to load and store the security context before and after the execution of the rest of defined filters in the chain, but it uses a custom wrapper over the response which is passed to the chain.

So in this case, you should know the class type of the wrapper used and pass it to the appropriate save method in the repository.

4. Conclusion

In this quick tutorial, we went over how to manually set the user Authentication in the Spring Security context and how it can be made available for Spring MVC purposes, focusing on the code samples that illustrate the simplest way to achieve it.

As always, code samples can be found over on GitHub.

Related posts:

Java Program to Create a Random Graph Using Random Edge Generation
Guide to Character Encoding
Java Program to Implement ArrayDeque API
Java 8 Stream findFirst() vs. findAny()
Java Program to Generate All Possible Combinations Out of a, b, c, d, e
Using the Not Operator in If Conditions in Java
Giới thiệu SOAP UI và thực hiện test Web Service
Java Program to Implement an Algorithm to Find the Global min Cut in a Graph
Java – Write an InputStream to a File
Spring’s RequestBody and ResponseBody Annotations
Spring Boot: Customize Whitelabel Error Page
Spring Boot - Enabling Swagger2
Spring Boot - Enabling HTTPS
Java Program to Perform Uniform Binary Search
Prevent Cross-Site Scripting (XSS) in a Spring Application
Introduction to Project Reactor Bus
Wrapper Classes in Java
Java Program to Implement Self Balancing Binary Search Tree
Java Perform to a 2D FFT Inplace Given a Complex 2D Array
Tạo ứng dụng Java RESTful Client với thư viện OkHttp
Java Program to Solve Travelling Salesman Problem for Unweighted Graph
Validations for Enum Types
Java Program to Generate All Subsets of a Given Set in the Lexico Graphic Order
Java Program to Implement Sorted Circular Doubly Linked List
Disable Spring Data Auto Configuration
Quick Guide to the Java StringTokenizer
Spring Security OAuth Login with WebFlux
Java Program to Implement Find all Cross Edges in a Graph
A Guide to TreeSet in Java
Java Program to subtract two large numbers using Linked Lists
Dockerizing a Spring Boot Application
Java Program to Implement Variable length array