mapping user - service values with domain properties

**Kshitiz** · Jan 6th, 2012, 12:09 AM

Hi. I am new to Spring Security. I am trying to implement spring security for restricting web page access to users carrying specific roles. I just want to set user service values like username and authorities with userDomain bean values which is in session scope. The structure of UserDomain bean is :

Code:

public class UserDomain {
	
	private String userName;
	private List<RoleEntity> userRole;
		
            resp getters and setters...
}

RoleEntity has role as string variable.

In application context.xml, it has been defined. Now in spring security.xml, how do I set user service values:

Code:

<authentication-manager>
	  <authentication-provider>
		<user-service>
			<user name="username" password="123456" authorities="ROLE_USER" />
		</user-service>
	  </authentication-provider>
	</authentication-manager>

How do I map values? Also, I dont want to define userdomain in spring-securty file again. I want to use bean id variable defined in application-context.xml file only.

**amiladomingo** · Jan 6th, 2012, 02:59 AM

You would need to define a custom authentication provider for this.

You can extend a class like org.springframework.security.authentication.dao.Ab stractUserDetailsAuthenticationProvider for this and UserDomain can extend from org.springframework.security.core.userdetails.User

**Kshitiz** · Jan 6th, 2012, 05:45 AM

Originally Posted by amiladomingo

You would need to define a custom authentication provider for this.

You can extend a class like org.springframework.security.authentication.dao.Ab stractUserDetailsAuthenticationProvider for this and UserDomain can extend from org.springframework.security.core.userdetails.User

I am not able to understand one thing...why UserDomain should extend org.springframework.security.core.userdetails.User ? Also, how will add custom rolos in a class extented from org.springframework.security.authentication.dao.Ab stractUserDetailsAuthenticationProvider.

**amiladomingo** · Jan 6th, 2012, 07:27 AM

I meant something like this. Make this your authentication provider,

Code:

public class AuthenticationProvider extends AbstractUserDetailsAuthenticationProvider
{
	@Override
	public UserDomain retrieveUser(String userName, UsernamePasswordAuthenticationToken authentication)
	{
		UserDomain user = new UserDomain();

		String password = authentication.getCredentials().toString();
		
		// Authenticate your user and populate the UserDomain

		return user;
	}

	@Override
	protected void additionalAuthenticationChecks(
			org.springframework.security.core.userdetails.UserDetails userDetails,
			UsernamePasswordAuthenticationToken authentication) throws AuthenticationException
	{
	}
}

**Kshitiz** · Jan 9th, 2012, 06:13 AM

Thnx for the reply. So in my custom manager, I will authenticate user, populate userDomain and list all authorities that the application carries. Now, what will be in spring-security.xml file. AFter mentioning my custom manager, do I need to do something else? These userDetails and userDetailsService classes are confusing me....will spring secure the application by just mentioning intercept-url?

**amiladomingo** · Jan 9th, 2012, 07:25 AM

Now, what will be in spring-security.xml file

Code:

	<security:authentication-manager alias="authenticationManager">
		<security:authentication-provider
			ref="authenticationProvider" />
	</security:authentication-manager>

	<bean id="authenticationProvider"
		class="AuthenticationProvider">
	</bean>

AFter mentioning my custom manager, do I need to do something else?

Make sure your RoleEntity implements GrantedAuthority and it should fill the authorities list in the User class. If you don't have any specific values inside the RoleEntity, other than the role string, you can use the GrantedAuthorityImpl provided by spring.

will spring secure the application by just mentioning intercept-url?

Normal configuration will work.

**Kshitiz** · Jan 9th, 2012, 07:45 AM

Thank you very much for helping me

. Actually I have come aroubnd two approaches. One is to define custom manager (http://static.springsource.org/sprin...-overview.html) and another one is to define cutom provider (as you have mentioned). Which one would is better?

**amiladomingo** · Jan 9th, 2012, 09:28 AM

I think the customization should happen at the provider level not manager.

This is what reference doc say (http://static.springsource.org/sprin...s-auth-manager)

You can't use a custom AuthenticationManager if you are using either HTTP or method security through the namespace, but this should not be a problem as you have full control over the AuthenticationProviders that are used.

**Kshitiz** · Jan 10th, 2012, 07:21 AM

Thnx ... I got it

Thread: mapping user - service values with domain properties

Thread Tools

Display

mapping user - service values with domain properties

mapping user - service values with domain properties

service values with domain properties

Posting Permissions