AuthenticationProvider and UserDetailsService used by default by Spring Security

Question

If i did not misunderstand, AuthenticationProvider uses UserDetailsService to retreive a user's attributes in order to authenticate an Authentication object.

Problem is that in the next code there is no configuration for an AuthenticationProvider neither for a UserDetailsService.

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication().withUser("user").password("pass").roles("ADMIN").and().withUser("user1")
            .password("pass").roles("USER");
}

Yet the authentication service has been set.

My question is, was there an implementation for AuthenticationProvider and another one for UserDetailsService that were added to the spring context internally? In this case, what are the used implementations (in the case of memoryAuthentication).

Does the *.withUser("user").password("pass").roles("ADMIN")* part of the configuration represent a UserDetailsService implementation ?

Answer 1

Yes, for such a configuration AuthenticationProvider and UserDetailsService beans are configured implicitly.

.inMemoryAuthentication() configures Spring Security to use InMemoryUserDetailsManager which (indirectly) implements UserDetailsService interface, so it is a UserDetailsService itself.

DaoAuthenticationProvider is used as AuthenticationProvider implementation by default with inMemoryAuthentication().

.withUser("user").password("pass").roles("ADMIN") configures user known to InMemoryUserDetailsManager. This can be used to populate it with users you'd like to use for logging in.

One more thing: not all AuthenticationProviders use UserDetailsService to obtain user details. Actually, among the standard AuthenticationProvider implementations, only DaoAuthenticationProvider class uses UserDetailsService.