Course – LSS – NPI (cat=Spring Security)
announcement - icon

If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:


1. Overview

Spring Security offers different authentication systems, such as via a database and UserDetailService.

Instead of using a JPA persistence layer, we may also want to use, for example, a MongoDB repository. In this tutorial, we’ll see how to authenticate a user using Spring Security and MongoDB.

2. Spring Security Authentication with MongoDB

Similar to using a JPA repository, we can use a MongoDB repository. However, we need to set a different configuration in order to use it.

2.1. Maven Dependencies

For this tutorial, we’re going to use Embedded MongoDB. However, a MongoDB instance and Testcontainer could be valid options for a production environment. First, let’s add the spring-boot-starter-data-mongodb and de.flapdoodle.embed.mongo.spring30x dependencies:


2.2. Configuration

Once we set dependencies, we need configure our AuthenticationManager with, for example, an HTTP basic authentication:

@EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true)
public class SecurityConfig {


    public SecurityConfig(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;

    public AuthenticationManager customAuthenticationManager(HttpSecurity http) throws Exception {
        AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);

    public BCryptPasswordEncoder bCryptPasswordEncoder() {
        return new BCryptPasswordEncoder();

    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
            .authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> authorizationManagerRequestMatcherRegistry.anyRequest().permitAll())
            .sessionManagement(httpSecuritySessionManagementConfigurer -> httpSecuritySessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));


2.3. User Domain and Repository

First, let’s define a simple user with roles for our authentication. We’ll have it implement the UserDetails interface to reuse commons methods of a Principal object:

public class User implements UserDetails {
    private @MongoId ObjectId id;
    private String username;
    private String password;
    private Set<UserRole> userRoles;
    // getters and setters

Now that we have our user, let’s define a simple repository:

public interface UserRepository extends MongoRepository<User, String> {

    User findUserByUsername(String username);

2.4. Authentication Service

Finally, let’s implement our UserDetailService in order to retrieve a user and check if it’s authenticated:

public class MongoAuthUserDetailService implements UserDetailsService {
    // ...
    public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {

        com.baeldung.mongoauth.domain.User user = userRepository.findUserByUsername(userName);

        Set<GrantedAuthority> grantedAuthorities = new HashSet<>();

          .forEach(role -> grantedAuthorities.add(new SimpleGrantedAuthority(role.getRole().getName())));

        return new User(user.getUsername(), user.getPassword(), grantedAuthorities);


2.5. Test Authentication

To test our application, let’s define a simple controller. As an example, we’ve defined two different roles to test authentication and authorization for specific endpoints:

public class ResourceController {

    public String admin() {
        return "Hello Admin!";

    @RolesAllowed({ "ROLE_ADMIN", "ROLE_USER" })
    public String user() {
        return "Hello User!";


Let’s wrap it all up in a Spring Boot Test to check if our authentication works. As we can see, we’re expecting a 401 code for someone providing invalid credentials or who doesn’t exist in our system:

class MongoAuthApplicationTest {

    // set up

    void givenUserCredentials_whenInvokeUserAuthorizedEndPoint_thenReturn200() throws Exception {
        mvc.perform(get("/user").with(httpBasic(USER_NAME, PASSWORD)))

    void givenUserNotExists_whenInvokeEndPoint_thenReturn401() throws Exception {
        mvc.perform(get("/user").with(httpBasic("not_existing_user", "password")))

    void givenUserExistsAndWrongPassword_whenInvokeEndPoint_thenReturn401() throws Exception {
        mvc.perform(get("/user").with(httpBasic(USER_NAME, "wrong_password")))

    void givenUserCredentials_whenInvokeAdminAuthorizedEndPoint_thenReturn403() throws Exception {
        mvc.perform(get("/admin").with(httpBasic(USER_NAME, PASSWORD)))

    void givenAdminCredentials_whenInvokeAdminAuthorizedEndPoint_thenReturn200() throws Exception {
        mvc.perform(get("/admin").with(httpBasic(ADMIN_NAME, PASSWORD)))

        mvc.perform(get("/user").with(httpBasic(ADMIN_NAME, PASSWORD)))

3. Conclusion

In this article, we looked at MongoDB for authentication with Spring Security.

We’ve seen how to create a working configuration and implement our custom UserDetailService. We have also seen how to mock an MVC context and test authentication and authorization.

As always, the code for these examples is available over on GitHub.

Course – LSS (cat=Security/Spring Security)

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

Course – LSD (cat=Persistence)

Get started with Spring Data JPA through the reference Learn Spring Data JPA course:

res – Security (video) (cat=Security/Spring Security)
Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.