Security Top – Temp

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

Frontegg – Security – Text1
announcement - icon User management is very complex, when implemented properly. No surprise here.

Not having to roll all of that out manually, but instead integrating a mature, fully-fledged solution - yeah, that makes a lot of sense.
That's basically what Frontegg is - User Management for your application. It's focused on making your app scalable, secure and enjoyable for your users.
From signup to authentication, it supports simple scenarios all the way to complex and custom application logic.

Have a look:

>> Elegant User Management, Tailor-made for B2B SaaS

1. Overview

In this quick tutorial, we'll discuss how to auto-authenticate users immediately after the registration process – in a Spring Security implementation.

Simply put, once the user finishes registering, they're typically redirected to the login page and have to now re-type their username and password.

Let's see how we can avoid that by auto-authenticating the user instead.

Before we get started, note that we're working within the scope of the registration series here on the site.

2. Using the HttpServletRequest

A very simple way to programmatically force an authentication is to leverage the HttpServletRequest login() method:

public void authWithHttpServletRequest(HttpServletRequest request, String username, String password) {
    try {
        request.login(username, password);
    } catch (ServletException e) {
        LOGGER.error("Error while login ", e);

Now that, under the hood, the HttpServletRequest.login() API does use the AuthenticationManager to perform the authentication.

It's also important to understand and deal with the ServletException that might occur at this level.

3. Using the AuthenticationManager

Next, we can also directly create a UsernamePasswordAuthenticationToken – and then go through the standard AuthenticationManager manually:

public void authWithAuthManager(HttpServletRequest request, String username, String password) {
    UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(username, password);
    authToken.setDetails(new WebAuthenticationDetails(request));
    Authentication authentication = authenticationManager.authenticate(authToken);

Notice how we're creating the token request, passing it through the standard authentication flow, and then explicitly setting the result in the current security context.

4. Complex Registration

In some, more complex scenarios, the registration process has multiple stages, such as – for example – a confirmation step until the user can log into the system.

In cases like this, it's, of course, important to understand exactly where we can auto-authenticate the user. We cannot do that right after they register because, at that point, the newly created account is still disabled.

Simply put – we have to perform an automatic authentication after they confirm their account.

Also, keep in mind that, at that point – we no longer have access to their actual, raw credentials. We only have access to the encoded password of the user – and that's what we'll use here:

public void authWithoutPassword(User user){
    List<Privilege> privileges = user.getRoles().stream().map(Role::getPrivileges)
    List<GrantedAuthority> authorities =
        .map(p -> new SimpleGrantedAuthority(p.getName()))

    Authentication authentication = new UsernamePasswordAuthenticationToken(user, null, authorities);

Note how we're setting the authentication authorities properly here, as would typically be done in the AuthenticationProvider.

5. Conclusion

We discussed different ways to auto-authenticate users after the registration process.

As always, the full source code is available over on GitHub.

Security bottom

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

Security footer banner
Comments are closed on this article!