Spring Security In-Memory Authentication

Author:
In this Spring Security tutorial, we will learn how to configure Spring Security to use in-memory authentication.

Overview

Spring Security’s InMemoryUserDetailsManager implements UserDetailsService to provide support for username/password-based authentication that is stored in memory. The InMemoryUserDetailsManager provides management of UserDetails by implementing the UserDetailsManager interface. UserDetails-based authentication is used by Spring Security when it is configured to accept a username and password for authentication.

Maven Dependency

In order to use Spring Security in the Spring Boot project, we need to add the below Maven dependency:

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>

Spring Security Configuration

Next, let's configure Spring Security to use basic in-memory authentication. Let's create SpringSecurityConfig class and add the following code to it:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SpringSecurityConfig {

    @Bean
    public static PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

        http.csrf().disable()
                .authorizeHttpRequests((authorize) -> {
                    authorize.anyRequest().authenticated();
                }).httpBasic(Customizer.withDefaults());
        return http.build();
    }

    @Bean
    public UserDetailsService userDetailsService(){

        UserDetails ramesh = User.builder()
                .username("ramesh")
                .password(passwordEncoder().encode("password"))
                .roles("USER")
                .build();

        UserDetails admin = User.builder()
                .username("admin")
                .password(passwordEncoder().encode("admin"))
                .roles("ADMIN")
                .build();

        return new InMemoryUserDetailsManager(ramesh, admin);
    }
}
Here we're using the httpBasic() element to define Basic Authentication inside the SecurityFilterChain bean.

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

        http.csrf().disable()
                .authorizeHttpRequests((authorize) -> {
                    authorize.anyRequest().authenticated();
                }).httpBasic(Customizer.withDefaults());
        return http.build();
    }
In the below InMemoryUserDetailsManager Java Configuration, we have created two users and stored them in the InMemoryUserDetailsManager class object.
    @Bean
    public UserDetailsService userDetailsService(){

        UserDetails ramesh = User.builder()
                .username("ramesh")
                .password(passwordEncoder().encode("password"))
                .roles("USER")
                .build();

        UserDetails admin = User.builder()
                .username("admin")
                .password(passwordEncoder().encode("admin"))
                .roles("ADMIN")
                .build();

        return new InMemoryUserDetailsManager(ramesh, admin);
    }
Spring Security’s InMemoryUserDetailsManager implements UserDetailsService to provide support for username/password-based authentication that is stored in memory.

Note that we are using PasswordEncoder to encode the password. Spring Security’s PasswordEncoder interface is used to perform a one-way transformation of a password to let the password be stored securely. We are using BCryptPasswordEncoder class which implements the PasswordEncoder interface. The BCryptPasswordEncoder class implementation uses the widely supported bcrypt algorithm to hash the passwords.
    @Bean
    public static PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }
    .password(passwordEncoder().encode("password"))

Create REST API

In order to test the above Spring security configuration, let's create a simple REST API and protect it using Spring Security. Well, if we add Spring security dependency to the Spring boot project then by default Spring Security secures all the application URLs. 
import org.springframework.security.core.Authentication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class WelComeController {

    @GetMapping("/greeting")
    public String greeting(Authentication authentication) {

        String userName = authentication.getName();

        return "Spring Security In-memory Authentication Example - Welcome " + userName;
    }
}

Testing REST API using Postman

In order to the REST APIs, we have to pass a username and password in the header this is called a basic authentication.

Note that we are passing username and password as admin/admin:

Conclusion

In this tutorial, we have seen how to configure Spring Security 6 to use in-memory authentication. Well, we have used Spring Security’s InMemoryUserDetailsManager class which implements UserDetailsService to provide support for username/password-based authentication that is stored in memory.

Comments

Post a Comment

Leave Comment