How to define 3 authentication ways config - httpBasic, userDetailsService, JsonLoginFilter() - Java Community

Tomasm21 · 2025-01-16T18:28:46.820Z

I'm creating an app where a user can authenticate using three ways httpBasic, userDetailsService, JsonLoginFilter(). A user should be authenticated using Spring's default `/login` path. But the type is one of three: **httpBasic:** There must be 2 users in memory database for testing. Simple user with user role and admin user with its role. **userDetailsService:** User and Role entities are read or saved to MySQL database. Authentication is possible when using `UserDetailsService` implementation bean. **JsonLoginFilter():** A user sends a request body but not as `x-www-form-urlencoded` or `form-data`. The body is raw JSON consisting of a pair : entries. Username and password. And `JsonLoginFilter()` is the filter that intercepts it. This is my configuration:

J

JavaBot•1/16/25, 6:28 PM

J

JavaBot•1/16/25, 6:28 PM

⌛

⌛

This post has been reserved for your question.

Hey @Tomasm21! Please use
/close
/close
or the
Close Post
Close Post
button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically marked as dormant after 300 minutes of inactivity.

TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.

T

Tomasm21OP•1/16/25, 6:30 PM

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    @Autowired
    private UserDetailsServicImp userDetailsService;
    
    @Autowired
    private CustomAuthenticationFailureHandler customFailureHandler;
    
    @Autowired
    private EncoderConfig passwordEncoder;
   
    @Bean
    SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/api/**").permitAll()
                        .anyRequest().authenticated())
                .formLogin(formLogin -> formLogin
                        .loginPage("/login")
                        .defaultSuccessUrl("/hi", true)
                        .failureHandler(customFailureHandler)
                        //.failureUrl("/login?error=true")
                        .permitAll())
                .httpBasic(Customizer.withDefaults())
                .logout(logout -> logout
                        .logoutUrl("/logout")
                        .logoutSuccessHandler((request, response, authentication) -> {
                            response.setStatus(HttpServletResponse.SC_OK);
                            response.setContentType("application/json");
                            response.getWriter().write("{\"message\": \"Logout successful\"}");
                        })
                        .invalidateHttpSession(true)
                        .clearAuthentication(true)
                        .permitAll())
                .addFilterBefore(new JsonLoginFilter(), UsernamePasswordAuthenticationFilter.class);
        httpSecurity.authenticationManager(authenticationManager());
        return httpSecurity.build();
    }

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    @Autowired
    private UserDetailsServicImp userDetailsService;
    
    @Autowired
    private CustomAuthenticationFailureHandler customFailureHandler;
    
    @Autowired
    private EncoderConfig passwordEncoder;
   
    @Bean
    SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/api/**").permitAll()
                        .anyRequest().authenticated())
                .formLogin(formLogin -> formLogin
                        .loginPage("/login")
                        .defaultSuccessUrl("/hi", true)
                        .failureHandler(customFailureHandler)
                        //.failureUrl("/login?error=true")
                        .permitAll())
                .httpBasic(Customizer.withDefaults())
                .logout(logout -> logout
                        .logoutUrl("/logout")
                        .logoutSuccessHandler((request, response, authentication) -> {
                            response.setStatus(HttpServletResponse.SC_OK);
                            response.setContentType("application/json");
                            response.getWriter().write("{\"message\": \"Logout successful\"}");
                        })
                        .invalidateHttpSession(true)
                        .clearAuthentication(true)
                        .permitAll())
                .addFilterBefore(new JsonLoginFilter(), UsernamePasswordAuthenticationFilter.class);
        httpSecurity.authenticationManager(authenticationManager());
        return httpSecurity.build();
    }

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    @Autowired
    private UserDetailsServicImp userDetailsService;
    
    @Autowired
    private CustomAuthenticationFailureHandler customFailureHandler;
    
    @Autowired
    private EncoderConfig passwordEncoder;
   
    @Bean
    SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/api/**").permitAll()
                        .anyRequest().authenticated())
                .formLogin(formLogin -> formLogin
                        .loginPage("/login")
                        .defaultSuccessUrl("/hi", true)
                        .failureHandler(customFailureHandler)
                        //.failureUrl("/login?error=true")
                        .permitAll())
                .httpBasic(Customizer.withDefaults())
                .logout(logout -> logout
                        .logoutUrl("/logout")
                        .logoutSuccessHandler((request, response, authentication) -> {
                            response.setStatus(HttpServletResponse.SC_OK);
                            response.setContentType("application/json");
                            response.getWriter().write("{\"message\": \"Logout successful\"}");
                        })
                        .invalidateHttpSession(true)
                        .clearAuthentication(true)
                        .permitAll())
                .addFilterBefore(new JsonLoginFilter(), UsernamePasswordAuthenticationFilter.class);
        httpSecurity.authenticationManager(authenticationManager());
        return httpSecurity.build();
    }

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    @Autowired
    private UserDetailsServicImp userDetailsService;
    
    @Autowired
    private CustomAuthenticationFailureHandler customFailureHandler;
    
    @Autowired
    private EncoderConfig passwordEncoder;
   
    @Bean
    SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/api/**").permitAll()
                        .anyRequest().authenticated())
                .formLogin(formLogin -> formLogin
                        .loginPage("/login")
                        .defaultSuccessUrl("/hi", true)
                        .failureHandler(customFailureHandler)
                        //.failureUrl("/login?error=true")
                        .permitAll())
                .httpBasic(Customizer.withDefaults())
                .logout(logout -> logout
                        .logoutUrl("/logout")
                        .logoutSuccessHandler((request, response, authentication) -> {
                            response.setStatus(HttpServletResponse.SC_OK);
                            response.setContentType("application/json");
                            response.getWriter().write("{\"message\": \"Logout successful\"}");
                        })
                        .invalidateHttpSession(true)
                        .clearAuthentication(true)
                        .permitAll())
                .addFilterBefore(new JsonLoginFilter(), UsernamePasswordAuthenticationFilter.class);
        httpSecurity.authenticationManager(authenticationManager());
        return httpSecurity.build();
    }

T

Tomasm21OP•1/16/25, 6:30 PM

    @Bean
    public AuthenticationManager authenticationManager() {
        DaoAuthenticationProvider inMemoryProvider = new DaoAuthenticationProvider();
        inMemoryProvider.setUserDetailsService(inMemoryUserDetailsManager());
        inMemoryProvider.setPasswordEncoder(passwordEncoder.passwordEncoder());

        DaoAuthenticationProvider databaseProvider = new DaoAuthenticationProvider();
        databaseProvider.setUserDetailsService(userDetailsService);
        databaseProvider.setPasswordEncoder(passwordEncoder.passwordEncoder());

        // Combine both providers in a custom AuthenticationManager
        return new ProviderManager(List.of(inMemoryProvider, databaseProvider));
    }
    
    @Bean
    public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
        // Create two in-memory users
        UserDetails user = User.withUsername("user")
                .password(passwordEncoder.passwordEncoder().encode("userpass"))
                .roles("USER")
                .build();

        UserDetails admin = User.withUsername("admin")
                .password(passwordEncoder.passwordEncoder().encode("adminpass"))
                .roles("ADMIN")
                .build();
        return new InMemoryUserDetailsManager(user, admin);
    }
}

    @Bean
    public AuthenticationManager authenticationManager() {
        DaoAuthenticationProvider inMemoryProvider = new DaoAuthenticationProvider();
        inMemoryProvider.setUserDetailsService(inMemoryUserDetailsManager());
        inMemoryProvider.setPasswordEncoder(passwordEncoder.passwordEncoder());

        DaoAuthenticationProvider databaseProvider = new DaoAuthenticationProvider();
        databaseProvider.setUserDetailsService(userDetailsService);
        databaseProvider.setPasswordEncoder(passwordEncoder.passwordEncoder());

        // Combine both providers in a custom AuthenticationManager
        return new ProviderManager(List.of(inMemoryProvider, databaseProvider));
    }
    
    @Bean
    public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
        // Create two in-memory users
        UserDetails user = User.withUsername("user")
                .password(passwordEncoder.passwordEncoder().encode("userpass"))
                .roles("USER")
                .build();

        UserDetails admin = User.withUsername("admin")
                .password(passwordEncoder.passwordEncoder().encode("adminpass"))
                .roles("ADMIN")
                .build();
        return new InMemoryUserDetailsManager(user, admin);
    }
}

    @Bean
    public AuthenticationManager authenticationManager() {
        DaoAuthenticationProvider inMemoryProvider = new DaoAuthenticationProvider();
        inMemoryProvider.setUserDetailsService(inMemoryUserDetailsManager());
        inMemoryProvider.setPasswordEncoder(passwordEncoder.passwordEncoder());

        DaoAuthenticationProvider databaseProvider = new DaoAuthenticationProvider();
        databaseProvider.setUserDetailsService(userDetailsService);
        databaseProvider.setPasswordEncoder(passwordEncoder.passwordEncoder());

        // Combine both providers in a custom AuthenticationManager
        return new ProviderManager(List.of(inMemoryProvider, databaseProvider));
    }
    
    @Bean
    public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
        // Create two in-memory users
        UserDetails user = User.withUsername("user")
                .password(passwordEncoder.passwordEncoder().encode("userpass"))
                .roles("USER")
                .build();

        UserDetails admin = User.withUsername("admin")
                .password(passwordEncoder.passwordEncoder().encode("adminpass"))
                .roles("ADMIN")
                .build();
        return new InMemoryUserDetailsManager(user, admin);
    }
}

    @Bean
    public AuthenticationManager authenticationManager() {
        DaoAuthenticationProvider inMemoryProvider = new DaoAuthenticationProvider();
        inMemoryProvider.setUserDetailsService(inMemoryUserDetailsManager());
        inMemoryProvider.setPasswordEncoder(passwordEncoder.passwordEncoder());

        DaoAuthenticationProvider databaseProvider = new DaoAuthenticationProvider();
        databaseProvider.setUserDetailsService(userDetailsService);
        databaseProvider.setPasswordEncoder(passwordEncoder.passwordEncoder());

        // Combine both providers in a custom AuthenticationManager
        return new ProviderManager(List.of(inMemoryProvider, databaseProvider));
    }
    
    @Bean
    public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
        // Create two in-memory users
        UserDetails user = User.withUsername("user")
                .password(passwordEncoder.passwordEncoder().encode("userpass"))
                .roles("USER")
                .build();

        UserDetails admin = User.withUsername("admin")
                .password(passwordEncoder.passwordEncoder().encode("adminpass"))
                .roles("ADMIN")
                .build();
        return new InMemoryUserDetailsManager(user, admin);
    }
}

T

Tomasm21OP•1/16/25, 6:30 PM

It executes well but in console I get:

T

Tomasm21OP•1/16/25, 6:36 PM

console1.txt1.6KB

T

Tomasm21OP•1/16/25, 6:37 PM

Problem:

Found 2 UserDetailsService beans, with names [userDetailsServicImp, inMemoryUserDetailsManager]. Global Authentication Manager will not use a UserDetailsService for username/password login. Consider publishing a single UserDetailsService bean.

Found 2 UserDetailsService beans, with names [userDetailsServicImp, inMemoryUserDetailsManager]. Global Authentication Manager will not use a UserDetailsService for username/password login. Consider publishing a single UserDetailsService bean.

Found 2 UserDetailsService beans, with names [userDetailsServicImp, inMemoryUserDetailsManager]. Global Authentication Manager will not use a UserDetailsService for username/password login. Consider publishing a single UserDetailsService bean.

Found 2 UserDetailsService beans, with names [userDetailsServicImp, inMemoryUserDetailsManager]. Global Authentication Manager will not use a UserDetailsService for username/password login. Consider publishing a single UserDetailsService bean.

and

No authenticationProviders and no parentAuthenticationManager defined. Returning null.

No authenticationProviders and no parentAuthenticationManager defined. Returning null.

No authenticationProviders and no parentAuthenticationManager defined. Returning null.

No authenticationProviders and no parentAuthenticationManager defined. Returning null.

T

Tomasm21OP•1/16/25, 6:38 PM

As a result I can't authenticate in either way. I get an exception:

T

Tomasm21OP•1/16/25, 6:39 PM

console2.txt12.21KB

T

Tomasm21OP•1/16/25, 6:42 PM

I want to have all three ways to authenticate. Did I defined it wrong in my

SecurityConfiguration

SecurityConfiguration

SecurityConfiguration

SecurityConfiguration ?
How should it be defined? Why Spring doesn't accept my changed

AuthenticationManager

AuthenticationManager

AuthenticationManager

AuthenticationManager with two

DaoAuthenticationProvider

DaoAuthenticationProvider

DaoAuthenticationProvider

DaoAuthenticationProvider providers that each provides different way to authenticate? One for in memory db and another using real MySql db.

T

Tomasm21OP•1/16/25, 6:44 PM

JsonLoginFilter():

public class JsonLoginFilter extends UsernamePasswordAuthenticationFilter {
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (request.getContentType() != null && request.getContentType().equals("application/json")) {
            try {
                // Parse the raw JSON request body
                ObjectMapper objectMapper = new ObjectMapper();
                @SuppressWarnings("unchecked")
                Map<String, String> credentials = objectMapper.readValue(request.getInputStream(), Map.class);
                String username = credentials.get("username");
                String password = credentials.get("password");

                // Create the authentication token with the username and password
                UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
                setDetails(request, authRequest);
                return this.getAuthenticationManager().authenticate(authRequest);
            } catch (IOException e) {
                throw new BadCredentialsException("Failed to parse JSON request", e);
            }
        }

        // Fall back to the default form login behavior
        return super.attemptAuthentication(request, response);
    }
}

public class JsonLoginFilter extends UsernamePasswordAuthenticationFilter {
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (request.getContentType() != null && request.getContentType().equals("application/json")) {
            try {
                // Parse the raw JSON request body
                ObjectMapper objectMapper = new ObjectMapper();
                @SuppressWarnings("unchecked")
                Map<String, String> credentials = objectMapper.readValue(request.getInputStream(), Map.class);
                String username = credentials.get("username");
                String password = credentials.get("password");

                // Create the authentication token with the username and password
                UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
                setDetails(request, authRequest);
                return this.getAuthenticationManager().authenticate(authRequest);
            } catch (IOException e) {
                throw new BadCredentialsException("Failed to parse JSON request", e);
            }
        }

        // Fall back to the default form login behavior
        return super.attemptAuthentication(request, response);
    }
}

public class JsonLoginFilter extends UsernamePasswordAuthenticationFilter {
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (request.getContentType() != null && request.getContentType().equals("application/json")) {
            try {
                // Parse the raw JSON request body
                ObjectMapper objectMapper = new ObjectMapper();
                @SuppressWarnings("unchecked")
                Map<String, String> credentials = objectMapper.readValue(request.getInputStream(), Map.class);
                String username = credentials.get("username");
                String password = credentials.get("password");

                // Create the authentication token with the username and password
                UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
                setDetails(request, authRequest);
                return this.getAuthenticationManager().authenticate(authRequest);
            } catch (IOException e) {
                throw new BadCredentialsException("Failed to parse JSON request", e);
            }
        }

        // Fall back to the default form login behavior
        return super.attemptAuthentication(request, response);
    }
}

public class JsonLoginFilter extends UsernamePasswordAuthenticationFilter {
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (request.getContentType() != null && request.getContentType().equals("application/json")) {
            try {
                // Parse the raw JSON request body
                ObjectMapper objectMapper = new ObjectMapper();
                @SuppressWarnings("unchecked")
                Map<String, String> credentials = objectMapper.readValue(request.getInputStream(), Map.class);
                String username = credentials.get("username");
                String password = credentials.get("password");

                // Create the authentication token with the username and password
                UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
                setDetails(request, authRequest);
                return this.getAuthenticationManager().authenticate(authRequest);
            } catch (IOException e) {
                throw new BadCredentialsException("Failed to parse JSON request", e);
            }
        }

        // Fall back to the default form login behavior
        return super.attemptAuthentication(request, response);
    }
}

R

red•1/16/25, 6:54 PM

Try to create two AuthenticationProvider, one for each UserDetailsService and then register both of them with @Bean

R

red•1/16/25, 6:55 PM

I think that this way you can separate the two forms of login and still delegate the management of beans to Spring Security as it should be.

R

red•1/16/25, 6:56 PM

Or something like that

R

red•1/16/25, 6:58 PM

Name the beans and then use @Qualifier to specify which authenticationProvider you want to inject

T

Tomasm21OP•1/16/25, 7:01 PM

But would it mean that if I will qualify the

databaseProvider

databaseProvider

databaseProvider

databaseProvider bean and then in postman I will try to autheticate using Basic Auth then what happens next? Due to qualifiers it will always try to athenticate me using

databaseProvider

databaseProvider

databaseProvider

databaseProvider instead of the

inMemoryProvider

inMemoryProvider

inMemoryProvider

inMemoryProvider. And perhaps I won't be able to auntheticate.

T

Tomasm21OP•1/16/25, 7:02 PM

There should be a way.

T

Tomasm21OP•1/16/25, 7:02 PM

These problems are not new.

TTomasm21 But would it mean that if I will qualify the `databaseProvider` bean and then in...

R

red•1/16/25, 7:05 PM

Yes, indeed. But you can get around this by creating two SecurityFilterChain and specifying which authenticationProvider to use.

T

Tomasm21OP•1/16/25, 7:05 PM

Ok I will try

R

red•1/16/25, 7:18 PM

The problem with this approach that I mentioned is that it is not possible for the same route to be accessed by more than one form of authentication. For more flexibility, you also should create a filter that processes the user credentials, creates an Authentication object and then based on the obtained data, delegate the authentication to an AuthenticationProvider

R

red•1/16/25, 7:19 PM

But maybe this might not be a problem in your case

J

JavaBot•1/17/25, 12:30 AM

💤

💤

Post marked as dormant

This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use
/help ping
/help ping
.
Warning: abusing this will result in moderative actions taken against you.