Skip to content

Configure Users With inMemoryAuthentication#

Configure Users Using inMemoryAuthentication#

  • As we practiced in the Custom Basic Spring Security, now we want to manage multi username and password for our application so we have to customize our user details and user detail services and password coders.
  • If we want to customize our user details and user detail services and password coders, we have to override another method provided by spring security framework under class WebSecurityConfigurerAdapter with the same name configure. But the difference between the operation and the below is the input argument AuthenticationManagerBuilder. The upper one will accept extra security and the lower one will accept authentication manageable.

#zoom

  • So this is a method where if we want to customize user detail service and password encoders along with authentication providers. See the example below:
ProjectSecurityConfig.java
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package com.spring.security.spring.security.inmemoryauthentication.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;

@Configuration
public class ProjectSecurityConfig extends WebSecurityConfigurerAdapter {

    /**
     *
     * contact: Not Secure
     * notice: Not Secure
     * balance: Secure
     * Card: Secure
     * Loan: Secure
     * Account: Secure
     *
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/v1/accounts/**").authenticated()
                .antMatchers("/v1/balance").authenticated()
                .antMatchers("/v1/loan").authenticated()
                .antMatchers("/v1/card").authenticated()
                .antMatchers("/v1/contact").permitAll()
                .antMatchers("/v1/notice").permitAll()
                .and().formLogin()
                .and().httpBasic();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("admin").password("12345").authorities("admin")
                .and().withUser("user").password("12345").authorities("read")
                .and().passwordEncoder(NoOpPasswordEncoder.getInstance());
    }
}
  • As you can see, we are using inMemoryAuthentication() it mean users that we defined by this method will be stored inside memory of spring container which will be leveraged by spring security while performing authentication and authorization details.
  • To create a user we use withUser() along with usename then password() along with password and use authorities along with authorities, then we use and() to end creating a user and prepare for configure user with password encoder step or we can create another user by repeating method as above. Finally we use passwordEncoder() to configure password encoder. In this case, we will use password encoder with plain text so it is the NoOpPasswordEncoder.getInstance(). We will learn more about kinds of PasswordEncoder later.
  • Now, you can comment out the user that you defined in application.yml and start your service and try call to authenticated api with the credentials that you created in the configuration above for testing.
application.yml
1
2
3
4
5
#spring:
#  security:
#    user:
#      name: user
#      password: 12345

#zoom

See Also#

References#