Spring Security: do UserDetails and UserDetailsService exist in every kind of application which uses Spring Security?

Question

Ive got a question to Spring Security 3.0.5.

When using Spring Security to secure web application, does a "UserDetails"-Object always exist? I mean, does every kind of application (even in other systems like LDAP or X.509 or CAS) using Spring Security also provide a "UserDetails"-Object?

Also, if yes, does every application have then a UserDetailsService?

Well, reading through the Spring Security documentation I dont think so, but I read that the core components always exist (SecurityContextHolder, SecurityContext, Authentication). If so, what sense does the Authentication object have, if it doesnt contain a UserDetails-Object?

Thank you!

Answer 1

The short answer is No. Different types of authentication mechanisms can use different types of Authentications.

However, many of the mechanisms do use the UsernamePasswordAuthenticationToken which has a reference to a UserDetails object. For example: UsernamePasswordAuthenticationFilter+DaoAuthenticationProvider. Also UsernamePasswordFilter+LdapAuthenticationProvider.

But: only DaoAuthenticationProviders use a UserDetailsService.

In practice, if you are asking the user for a username/password using a web form you will probably end up using a UsernamePasswordAuthenticationToken and hence a UserDetails. But you will only use a UserDetailsService if you are using a DaoAuthenticationProvider.