Spring Security -- Retrieving the Username of the user currently trying to log in

Question

I need to implement a PasswordEncoder that generates salted passwords. The salts are user-specific (UUIDs) and stored in the corresponding User objects.

As such, I need access to either the User directly or the UserDetails object that holds a reference. Very easy to retrieve IF I had the name of the user trying to log in.

And therein lies the issue. I cannot seem to get a hold of it.

As far as the SecurityContext is concerned, we are still dealing with an anonymousUser.

I know there should be a UsernamePasswordAuthenticationToken lying around, somewhere, but I cannot inject that as it's not a bean. And to define a wrapper bean holding it, I would need to figure out where to find it in the first place.

How do I get the name of the user trying to log in?

Would greatly appreciate the help. :)

(Sidenote: Please don't recommend me to "not do that" or to migrate the passwords and start using a BCryptPasswordEncoder or something along these lines. It's something we would very much like to do at some point in the future but for the time being are not allowed to.)

Answer 1

You won't be able to do this with a PasswordEncoder alone as the abstraction assumes that you can encode the password using only the plain text password (or compare using the hashed password). However, if you use a custom AuthenticationProvider (which is what calls the PasswordEncoder), you will have access to the incoming Authentication object including the username. More info here.

Answer 2

The call to PasswordEncoder.matches(...) is made by the additionalAuthenticationChecks(...) method of DaoAuthenticationProvider, which does have access to the username value (principal).

If you need access to that, you need to subclass DaoAuthenticationProvider and override (replace) the method, and make sure Spring uses your subclass when configuring.