User authentication in Spring Security is the process of verifying the identity of a user to ensure that they are who they claim to be. Spring Security provides a flexible and extensible authentication framework that supports various authentication methods, such as username and password, token-based authentication, LDAP, and more. Below, I'll describe user authentication in Spring Security with an example using username and password authentication.

Step 1: Project Setup

To get started with Spring Security, you need to set up a Spring-based project and include the necessary dependencies. If you're using Spring Boot, you can add the "spring-boot-starter-security" dependency in your "pom.xml" or "build.gradle" file.

Step 2: Configuration

Configure Spring Security by creating a security configuration class that extends WebSecurityConfigurerAdapter. This class should override the configure method to define how authentication should work. Below is a basic example:

                
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

    @Configuration
    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .antMatchers("/public/**").permitAll()
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .loginPage("/login")
                    .permitAll()
                    .and()
                .logout()
                    .permitAll();
        }

        @Bean
        public BCryptPasswordEncoder passwordEncoder() {
            return new BCryptPasswordEncoder();
        }
    }
                
            

In this configuration:

• We allow public access to URLs under "/public/**".
• Any other request requires authentication.
• We configure a custom login page at "/login".
• We permit all users to log out.

Step 3: User Details Service

You need to provide a user details service to load user information for authentication. This can be an in-memory user store, a database, LDAP, or any other data source. For this example, we'll use an in-memory user store:

                
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.core.userdetails.User;
    import org.springframework.security.core.userdetails.UserDetails;
    import org.springframework.security.core.userdetails.UserDetailsService;
    import org.springframework.security.core.userdetails.UsernameNotFoundException;
    import org.springframework.security.crypto.password.PasswordEncoder;

    @Configuration
    public class UserConfig {

        @Bean
        public UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) {
            return username -> {
                if ("user".equals(username)) {
                    return User
                            .withUsername("user")
                            .password(passwordEncoder.encode("password"))
                            .roles("USER")
                            .build();
                } else {
                    throw new UsernameNotFoundException("User not found.");
                }
            };
        }
    }
                
            

In this example, we define a custom UserDetailsService that returns a user with username "user" and an encoded password "password." The passwordEncoder is used to securely store and verify passwords.

Step 4: Login Page

Create a custom login page at "/login" (as specified in the security configuration). This page will provide a form for users to enter their username and password.

Step 5: Password Encoding

Passwords should be securely stored in the user store. In this example, we used the BCryptPasswordEncoder to securely hash and verify passwords.

With this setup, when a user accesses a protected resource and is not authenticated, they will be redirected to the "/login" page. After providing valid credentials (e.g., username: "user" and password: "password"), Spring Security will authenticate the user, and they will be able to access protected resources based on the authorization rules defined in the security configuration.

This example covers the basics of user authentication in Spring Security using a username and password. You can expand on this foundation by implementing more advanced authentication methods or integrating with an external user store like a database or LDAP.