I am looking at an example from Wall's Spring Boot In Action, chapter 3. This is a simple Boot MVC project using Spring Security. The default security configuration is overridden by the following class:
This class defines a custom UserDetails implemneted by the Reader class.The Reader class looks like:
There is one controller, ReadingListController:
The SecurityConfig class obtains the Reader from the injected readerRepository which is a JpaRepository<Reader, String>. When you boot up the application and go to localhost:8080/ you are presented with the login page. When you log in, the ReadingListController.readersBooks(Reader reader, Model model) method is called. This is passed a Reader object populated via the username used in logging in. Spring is passing the Reader object, looked up in the database, to the controller. I'm wondering why this happens. I have seen Principal passed to a controller annotated with @AuthenticationPrincipal, and have seen controllers access the SecurityContext to retrieve the principal, but have not seen it done this way. My question is, is Spring passing in Reader because it implements UserDetails? if not, why is Spring passing in the correct Reader object?