Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce UserAuthorities #15406

Open
marcusdacoregio opened this issue Jul 12, 2024 · 1 comment
Open

Introduce UserAuthorities #15406

marcusdacoregio opened this issue Jul 12, 2024 · 1 comment
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement

Comments

@marcusdacoregio
Copy link
Contributor

marcusdacoregio commented Jul 12, 2024
edited
Loading

UserAuthorities is a new core interface similar to UserDetails. The difference is that UserAuthorities does not include password/credentials information. This is helpful for scenarios where a password is not required. Right now UserDetails is leveraged for x509 and CAS which don't require passwords, but passkeys and one time tokens is yet another place that it is strange to have UserDetails linked to the them.

Ideally, UserDetails should extend UserAuthorities and UserDetailsService should extend UserAuthoritiesRepository.
@marcusdacoregio marcusdacoregio added in: core An issue in spring-security-core type: enhancement A general enhancement labels Jul 12, 2024
@marcusdacoregio marcusdacoregio self-assigned this Jul 12, 2024
@marcusdacoregio marcusdacoregio added this to the 6.4.0-M2 milestone Jul 16, 2024
marcusdacoregio added a commit to marcusdacoregio/spring-security that referenced this issue Jul 16, 2024
@marcusdacoregio
Introduce UserAuthorities
a5edb20 
Closes spring-projectsgh-15406
@marcusdacoregio marcusdacoregio mentioned this issue Jul 16, 2024
Closed
marcusdacoregio added a commit to marcusdacoregio/spring-security that referenced this issue Jul 16, 2024
@marcusdacoregio
Introduce UserAuthorities
8fb4287 
Closes spring-projectsgh-15406
marcusdacoregio added a commit to marcusdacoregio/spring-security that referenced this issue Jul 18, 2024
@marcusdacoregio
Introduce UserAuthorities
3e5f31b 
Closes spring-projectsgh-15406
@marcusdacoregio
Copy link
Contributor Author

There are a few places where UserDetails is leveraged but a password is not required:

  • CasAuthenticationProvider
  • PreAuthenticatedAuthenticationProvider
  • UserDetailsServiceLdapAuthoritiesPopulator
  • OneTimeTokenAuthenticationProvider (new)
  • PersistentTokenBasedRememberMeServices
  • SwitchUserFilter

However, it is not clear yet what will be the impacts of switching from UserDetails to UserAuthorities on those places and others. We should also consider whether the boolean properties in UserDetails should be moved to UserAuthorities.

Another alternative is to make it very explicit that the UserDetails#getPassword can be null.

With that said, I'll close #15432 for now because we need more time to figure that out.

@sjohnr sjohnr modified the milestones: 6.4.0-M2, 6.4.0-M3 Aug 19, 2024
@marcusdacoregio marcusdacoregio modified the milestones: 6.4.0-M3, 6.4.0-M4 Aug 22, 2024
@marcusdacoregio marcusdacoregio removed this from the 6.4.0-M4 milestone Sep 16, 2024
@marcusdacoregio marcusdacoregio removed their assignment Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Introduce UserAuthorities marcusdacoregio/spring-security
2 participants
@sjohnr @marcusdacoregio