User Registration using Spring 3.1, Spring Security and Hibernate

[Tommac]

Firstly I need to say that I am pretty new to Spring. I have been using it for about a month now and am sort of just getting the hang of it. However there seems like there is so much more I need to learn.

What I am trying to accomplish is a login / registration / security model for my website.

I have already went through tutorials and what I already have built and working is the base security for the site using:

Code:

    
       <beans:bean id="securityDataSource"
	class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<beans:property name="url" value="jdbc:mysql://
...
</beans:bean>

    <authentication-manager>
    <authentication-provider>
      <jdbc-user-service data-source-ref="securityDataSource"/>
    </authentication-provider>
  </authentication-manager>

and I using this I can secure all of the methods on my site.

I have tried to create a user registration form and I was able to do so however the user registration process does not link back to the securityDataSource.

Now I am able to figure out how to take the user data and save it into the user table. But I am not sure that is the best or rather the "spring" way to go about this.

Also I am not currently using hibernate but just the spring jdbc.

So the first question and I am sure that there will be different opinions on this. Should i stick with jdbc or move over to hibernate. I feel like i should be using hibernate for this.

Secondly is there any straight forward way to link my user registration in with the user tables needed for spring security or do I need to do all of that work myself?

From one of tutorials I got this bit of code which is currently working and being called correctly:

Code:

import javax.servlet.http.HttpServletRequest;
import javax.servlet.ServletException;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.view.RedirectView;
import org.springframework.web.servlet.mvc.SimpleFormController;

@SuppressWarnings("deprecation")
public class RegistrationFormController extends SimpleFormController {
	@Override
	protected ModelAndView onSubmit(Object command) throws ServletException {
		User user = (User) command;
		String name = user.getUsername();
		ModelAndView modelAndView = new ModelAndView(getSuccessView());
		modelAndView.addObject("user", user);
		return modelAndView;
	}
}

The user object has all of the data I need. I dont really like the @SuppressWarnings due to using depricated code and I would like to replace that with the right way to do things but this does currently work.

What would be the best way for me to get this linked to my User Table that links to Spring Security User table?

[barefoot]

It seems like maybe there are two separate questions here: 1) Should you be using hibernate at all and 2) How do you integrate your schema with spring security.

1) This is really an application choice, I wouldn't tie it to Spring. How big of an app will this be, how comfortable are you with hibernate, etc. If you've already chosen to use hibernate, yes you can certainly integrate it with Spring security (read on).

2) I would not "link" your user table to the Spring security user table. I would make them the same table. If you want to try this first with jdbc and then move to hibernate, you can. Here's how to use jdbc and customize the query to your liking to use your own table:

Code:

   <beans:bean id="myUserDetailsService"
                class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
        <beans:property name="dataSource" ref="dataSource"/>
        <beans:property name="usersByUsernameQuery" value="select username,password,enabled from user where username = ?"/>
        <beans:property name="authoritiesByUsernameQuery" value="select username,authority from authorities where username = ?"/>
    </beans:bean>
    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref='myUserDetailsService'>
            <password-encoder hash="sha-256"     />
        </authentication-provider>
    </authentication-manager>

JdbcDaoImpl only requires that the returned column names match what it expects. So you can select from a table name of your choosing, column names of your choosing as well, and just map them to the right names e.g. "select user_name as username, ..."

Also I noticed there was no encoder in the xml snippet you posted. That would suggest you were storing the passwords in plain text. The snippet above turns them into a 1-way hash instead.


If/when you want to move to hibernate, you can implement the UserDetailsService interface and return an implementation of UserDetails. Then use your bean in the config in place of "myUserDetailsService". Here's a snippet, where UserAccount and Authority are both hibernate-mapped objects:

Code:

     
       UserAccount user = <look up the user account>
       Set<GrantedAuthority> grantedAuthorities = new HashSet<GrantedAuthority>(user.getAuthorities().size());
        for (Authority authority : user.getAuthorities()) {
            grantedAuthorities.add(new SimpleGrantedAuthority(authority.getAuthority()));
        }

        return new User(user.getUsername(), user.getPassword(), grantedAuthorities);