Summary
when user set enableAuthorities=false manually in org.springframework.security.core.userdetails.jdbc.JdbcDaoImp, it should also load UserDetails with method UserDetails loadUserByUsername(String username)
Actual Behavior
it will always throw UsernameNotFoundException
Expected Behavior
it should also load UserDetails with method UserDetails loadUserByUsername(String username)
Configuration
Version
5.2.0.BUILD-SNAPSHOT
Sample
Comment From: clevertension
if user set enableAuthorities = false, thedbAuths will be empty intentionally, so we can still return the UserDetails as expected, so it should be
if (this.enableAuthorities && dbAuths.size() == 0) {
...
}
Comment From: eleftherias
If you are setting enableAuthorities to false, then it is expected that you will be using group based authorities.
From the JdbcDaoImpl Javadoc:
Support for group-based authorities can be enabled by setting the enableGroups property to true (you may also then wish to set enableAuthorities to false to disable loading of authorities directly). With this approach, authorities are allocated to groups and a user's authorities are determined based on the groups they are a member of. The net result is the same (a UserDetails containing a set of GrantedAuthoritys is loaded), but the different persistence strategy may be more suitable for the administration of some applications.
In either case it is expected that the user's authorities are not empty, which is why a UsernameNotFoundException is thrown, since a user with no authorities are treated as not found.
I'm going to close this issue because this is intended behavior, but feel free to comment below if it's unclear.