How to configure spring security 2.0 to use a custom UserDetailsService?

[hvuoltee]

I feel quite stupid for having to ask this, but I just wasn't getting anywhere with the docs and google...

How do I configure Spring Security to use my own UserDetailsService implementation? My UserDetailsService is defined in the normal Spring web app context config file (myappname-servlet.xml):

Code:

<bean id="userDetailsService" class="myappname.auth.UserDetailsServiceImpl">
  <property name="dao">
    <ref bean="testDao" />
  </property>
</bean>

I also have another config file, applicationContext-security-ns.xml. In this file I have a simple security setup:

Code:

<http auto-config="true">
  <intercept-url pattern="/secure/admin/**" 
    access="ROLE_ADMIN" />
  <intercept-url pattern="/secure/**"    
    access="IS_AUTHENTICATED_REMEMBERED" />
  <intercept-url pattern="/**"
    access="IS_AUTHENTICATED_ANONYMOUSLY" />
  <form-login login-page="/home.html" />
</http>

<authentication-provider>
  <user-service>
    <user name="user" password="user"
      authorities="ROLE_ADMIN, ROLE_USER" />
  </user-service>
</authentication-provider>

The simple authentication-provider works ok, but trying to refer to my own userDetailsService doesn't work. This has got to be very simple, could someone please show me how to do it?

[Luke Taylor]

You'll find it in the namespace introduction in the reference guide:

http://static.springframework.org/sp...auth-providers

[hvuoltee]

Yeah, that's the document I was trying to read, just didn't get it.

I tried replacing the simple static authentication-provider element with a reference to a UserDetailsService bean:

Code:

<authentication-provider user-service-ref="myUserDetailsService"/>

I have the UserDetailsService bean in the appname-servlet.xml:

Code:

<bean id="myUserDetailsService" class="myapp.auth.UserDetailsServiceImpl">
</bean>

This results only in error "No UserDetailsService registered".


Are beans in the application context config (appname-servlet.xml) visible to security-ns.xml? I don't seem to get the relationship between the two config files... Could someone spell it out for me?

[Luke Taylor]

No, I think don't think beans in the web application context "-servlet.xml" file are visible in the rest of your main applicaion context. That's a basic Spring issue though. It isn't affected by namespaces.

[hvuoltee]

Ok... So how do I combine the two? My data access objects are in the main config file. It would seem strange to specify database connectivity stuff again in the security context.

[cablepuff]

In your web.xml configure a ContextLoaderListener.


http://static.springframework.org/sp...rListener.html

wire this in your web.xml.


<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:applicationContext*.xml</param-value>
</context-param>

[hvuoltee]

Thanks! I added both appname-servlet.xml and security-ns.xml to the contextConfigLocation and now I can use the data access beans in security xml.

After that I still had some problems getting a UserDetails object out of Authentication.getPrincipal(), it kept on returning the username as a String. But for some reason the problems just went away after some shuffling of the config files. I don't care for the reasoning anymore, just glad it works

[Luke Taylor]

Thanks! I added both appname-servlet.xml and security-ns.xml to the contextConfigLocation and now I can use the data access beans in security xml.

I don't think this is a good idea. The "appname-servlet.xml" file is used by the dispatcher servlet to set up the web mappings etc. It's not meant to be part of the main application context (business beans etc).

You would be better to move the non-web beans out of the "-servlet.xml" and put them in a separate context file (e.g. appContext-persistence.xml for your DAOs).