Custom implementation of Spring Security's UserDetailsService

[rumesh18]

Hi All,

I am a newbie to spring security. I tried few example on spring security and now I want to do the custom implementation of UserDetailsService to get username and password from custom tables. But, since I am new to spring security I couldn't catch the exact steps to follow to implement it. I read the reference manual but no luck. So if anyone can help me with the required steps to follow with small example, it would be great. the main problem is I don't have the clear idea about what methods should implement in service class and repository to do this job

Thanks in advance

Regards,
Rumesh

[nOiDStaRr]

Spring uses a default scheme for database authorization (see below), therefore you have to map your scheme...

For spring security try something like this (but modifiy the SQL statement concerning your needs):


Add e.g. to web.xml

Code:

<context-param>
    <param-name>contextConfigLocation</param-name>
      <param-value>
        /WEB-INF/applicationContext*.xml
    </param-value>
   </context-param>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

applicationContext-security.xml

Code:

?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
   xmlns:beans="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans 
               http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
               http://www.springframework.org/schema/security
               http://www.springframework.org/schema/security/spring-security-2.0.2.xsd">
               
  <http auto-config="true" access-denied-page="/error403.html">
    <intercept-url pattern="/login.html*" filters="none"/>
    <form-login login-page='/login.html' authentication-failure-url="/login.html?login_error=1" default-target-url="/index.jsp" />
  </http>
    
  <authentication-provider user-service-ref="userService" />
  
  <jdbc-user-service id="userService" data-source-ref="securityDataSource"
    users-by-username-query="SELECT Login AS 'username', Password AS 'password', Enabled AS 'enabled' FROM User WHERE Login = ?" 
    authorities-by-username-query="SELECT u.Login as 'username', ua.Authority as 'authority' FROM Authority ua, User u WHERE ua.id = u.authority_id AND u.Login = ?"
  />
  
  <beans:bean id="securityDataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    <beans:property name="driverClassName" value="${db.driverClass}" />
    <beans:property name="url" value="${db.jdbcUrl}" />
    <beans:property name="username" value="${db.user}" />
    <beans:property name="password" value="${db.password}" />
  </beans:bean>
</beans:beans>

maybe you also need to change the jdbc implementation concerning your database requirements.


The libs you need are:

Code:

spring-security-acl-2.0.3.jar
spring-security-core-2.0.3.jar
spring-security-core-tiger-2.0.3.jar
spring-security-taglibs-2.0.3.jar

Spring itself uses by default this scheme:

Code:

CREATE TABLE users (
   username VARCHAR(50) NOT NULL PRIMARY KEY,
   password VARCHAR(50) NOT NULL,
   enabled BIT NOT NULL
);

CREATE TABLE authorities (
   username VARCHAR(50) NOT NULL,
   authority VARCHAR(50) NOT NULL
);

you have to map your own implementation to it.

A different way might be, instead of using the userService, to create a view which matches the correct scheme.

:-)

[rumesh18]

Thank you very much nOiDStaRr. It works perfectly.

Thanks again.

regards,
Rumesh

[rumesh18]

Hi All,

I want to keep the username in session variable. Anyone know how to do it.
please help me to solve the problem

thanks in advance.

regards,
rumesh

[DavidZ]

The username is already stored in the session through the Spring UserDetails object. You only need to retrieve the value.

Using the spring security tag library, you could do this:

Code:

<%@ taglib uri="http://www.springframework.org/security/tags" prefix="security" %> 
<%-- be sure that your project's lib directory has spring-security-taglibs.jar --%>
<html>
<security:authentication property="principal.username" />
</html>

To retrieve it from the session through JSP you could use:

Code:

<%@ page import="org.springframework.security.context.SecurityContextHolder" %>
<%@ page import="org.springframework.security.Authentication" %>
<%
		Authentication auth = SecurityContextHolder.getContext().getAuthentication();
		if (auth != null) %>
			Username: <%= (auth.getPrincipal()).getUsername() %>

[rumesh18]

Thanks DavidZ. that is exactly what I want.

Regards,
Rumesh

[anurudda_spring]

I was wondering whether it would be possible to save information like Full name, Country,etc with the username when the user logged in. How can we do it? Any help would be greatly appreciated. Thanks in advance.

[towers]

Hi my problem is that.
I need know the expiration date of user password and if the password is expired then te system redirect to a change password page but is nonExpired then the system goto the main page.

Im reading about the UserDetails Inteface and this have an unimplemeted methods : getAuthorities(). getPassword(), getUserName(),isAccountNonExpired(),isAccountNonLo cked(),isCredentialsNonExpired() and isEnabled()
I need call this class in the applicationContext-security.xml and use a isAccountNonExpired method to know if the password has been expired.

the password expiration date is definned in the database

thanks

[jpicadoba]

I need use Group Authorities with your example, do you hace any example with Group Authorities?

thank you