Hi, I'm building a multiplatform side project in kotlin. I have decided to use spring as my backend, because our backend team use it and I have used it in the past. I'm trying to build an authentication system using spring security, spring security will delegate authentication to my firebase Auth manager from the firebase java admin sdk. I have done some research, and discovered 3 approach for custom authentication using spring security: 1- user detail services. 2- authentication provider. 3- authentication manager. 4- simply by setting the authenticated user in the security context holder. My first question is what's the recommended approach to custom authentication system? Second question is there a way to use my own domain object for authentication? I known that I can use the user detail interface but I think that returning my user identifier or email in the getUsername method introduce confusion in my source code. So is there's another way to use my domain object?

Implementing

UserDetailsService

is the simplest of them all and what I would recommend. You can have your domain object impmenent

UserDetails

and then return it from your

UserDetailsService

, it will then be accessible from anywhere from the

Authentication

object (

Authentication#principal

will contain your

UserDetails

implementation).

Yes i agree it's the simplest way but is it not confusing to return something else from the method in userDetails just to match your domain object? Since I'm trying to build something that I would use daily and maybe sell it. I would like to known the + and - of using each of them. I like the authentication manager approach, but what do I loose by using this approach?

Isn't AuthenticationProvider what you need at least? Which can use UserDetailsService or not

Depends. If you use Spring Boot it will set up

DaoAuthenticationProvider

automatically if you have

UserDetailsService

, or you can do that yourself.

Yes, spring boot setup the Dao one automatically if you make a bean of userdetailservice I think.

Easier probably but maybe if you dont feel that UserDetails fits your needs then it should be quite easy to implement AuthenticationProvider

I don't want to choose a solution, just because it's the easiest, if it's doesn't match my needs.

Most confusing part with UserDetails is that it may include your authorities (getAuthorities) which are not of course used for authorization, since Authentication.getAuthorities is used for that

Actually,

getAuthorities

on

Authorization

will return the authorities from the

UserDetails

if you have the correct AuthenticationProvider.

What kind of AuthenticationProvider would take part in authorization and behave like that?

Any

AbstractUserDetailsAuthenticationProvider

will create a

UsernamePasswordAuthenticationToken

as the

Authentication

, which takes it's authorities from the

UserDetails

.

DaoAuthenticationProvider

(based on

UserDetailsService

) is one such provider

I wrote that wrong too earlier 🙂

a lightweight approach if 1) this backend to which you refer is a spring mvc based rest api 2) you only need to authenticate the user, and you do not need e.g. method level security, is to not use spring security at all, just use handler method argument resolvers in the rest endpoints

Same answer from my backend team and thank you very much for the repository. Really helpful. @isto