Authentication of users by authenticationProvider from spring security through ReST API Call

Question

I am now exploring that authentication of users in microservice. For that I am created my authentication service - checkUserAuthentication. Also providing Microservice also. this is already deployed in cloud. Now I am creating new service with specific business logic. In this service , need to authenticate and check authorization of user to access this end-point by using authenticationProvider from spring security.

For this I am reading and exploring the following tutorials,

1. https://dzone.com/articles/spring-security-custom
2. http://roshanonjava.blogspot.in/2017/04/spring-security-custom-authentication.html
3. http://javasampleapproach.com/spring-framework/spring-security/spring-security-customize-authentication-provider
4. http://www.baeldung.com/spring-security-authentication-provider

In here they are implements AuthenticationProvider in class CustomAuthenticationProvider.

and in method they are receiving username and password is like following,

public Authentication authenticate(Authentication authentication) throws 
 AuthenticationException {
    String name = authentication.getName();
    String password = authentication.getCredentials().toString();

    Optional<User> optionalUser = users.stream().filter(u -> u.index(name, 
     password)).findFirst();

    if (!optionalUser.isPresent()) {
        logger.error("Authentication failed for user = " + name);
        throw new BadCredentialsException("Authentication failed for user = " + name);
    }

    // find out the exited users
    List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
    grantedAuthorities.add(new SimpleGrantedAuthority(optionalUser.get().role));
    UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(name, password,
            grantedAuthorities);

    logger.info("Succesful Authentication with user = " + name);
    return auth;
}

These are codes from documentation. Instead of this method, I need to do in different way. Here I am adding my requirements:

My requirement: I need to receive username and password from API Request.And For checking this username and password, I need to call my deployed APIs checkUserAuthentication and checkUserAuthorization.

My doubts on this:

1. Can I directly call these API within "public Authentication authenticate(Authentication authentication)" method ?
2. How I receive username and password from the received request ?
3. Why we are using UsernamePasswordAuthenticationToken ? , If we are sending JWT token instead of username and password, then which class will use for providing reply?

Since I only started with Spring Security, I am new to security world.

Answer 1

1. Can I directly call these API within "public Authentication authenticate(Authentication authentication)" method ?

Yes.

2. How I receive username and password from the received request ?

Same as they are doing in authenticate method.

3. Why we are using UsernamePasswordAuthenticationToken ? , If we are sending JWT token instead of username and passowrd, then which class will use for providing reply?

UsernamePasswordAuthenticationToken is used internally by spring security. This comes into the picture when you create a session in spring. it contains the user information (eg. email etc.) and authorities (role).For example, when you receive a JWT token in your application, you will validate the JWT token (signature etc. ) and upon successfull validation of JWT, you will create an object of UsernamePasswordAuthenticationToken and spring will save it in session. For each incoming request, spring will call boolean isAuthenticated() method on this object to find if user can access the required resource.

Now when you have got all your answers, my recommendation is to go with Oauth2 for your boot microservices. there are plenty of example how to implement it and customize it for your requirement. (Basically, you have to implement your Authorization server which will authenticate the user with your service checkUserAuthentication and generate the accesstoken. Each consumer of your microservice needs to send this accesstoken which they have got from Authorization server and you need to validate it in your microservice. So your microservice will act as Resource Server).

Hope it will help.