Fixed role by userDetailsService

**michel** · Jul 1st, 2009, 05:47 AM

Hello

i want to set a fixxed role by userDetailsService while i using a JdbcDaoImpl.
So i want to use the username and password i get from a table but i don't want to use the authorities option from JdbcDaoImpl.

is there some way i can realize this without reverence to a table but set it fixed to ROLE_CUSTOMER for example.

Code:

<b:bean id="authenticationDao2" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl" >
        <b:property name="dataSource"><b:ref bean="dataSource"/></b:property>
        <b:property name="usersByUsernameQuery">
            <b:value>select login, password, 1 from users where login = ?</b:value>
        </b:property>
        <!--  do something here to set a fixed authoritie -->
</b:bean>

<b:bean id="daoAuthenticationProvider2" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
	<b:property name="userDetailsService"><b:ref local="authenticationDao2"/></b:property>
	<custom-authentication-provider/>
</b:bean>

thx

**davymeers** · Jul 1st, 2009, 06:30 AM

hello,

You should extend the JdbcDaoImpl and override the AddCustomAuthorities method.

Regards,
Davy

**michel** · Jul 1st, 2009, 07:09 AM

mm i don't understand it
i know how to extend de JdbcDaoImpl. but how can i use addCustomAuthorities so he always use ROLE_CUSTOMER ?

something like this:

Code:

public class jdbcDaoImplExtended extends JdbcDaoImpl{

       protected void addCustomAuthorities(String username, List authorities) {
		ArrayList<String> aut = new ArrayList();
		aut.add("ROLE_CUSTOMER");
		super.addCustomAuthorities(username, aut);
	}
}

and what must i fill in by :

Code:

 <b:property name="authoritiesByUsernameQuery">
            <b:value>???</b:value>
        </b:property>

thx

**davymeers** · Jul 1st, 2009, 03:38 PM

hello,

i thought you want the authorities functionality ofJdbcDaoImpl, but also wanted every user to have a specific role "ROLE_CUSTOMER"

Then you extend the JdbcDaoImpl and override the method addCustomAuthorities, which is a hook method.

the implementation would be something like:

Code:

protected void addCustomAuthorities(String username, List authorities) {
authorities.add(new GrantedAuthorityImpl("ROLE_CUSTOMER"));
}

But now i understand that you want the users only to have always the role "ROLE_CUSTOMER".

To prevent the JdbcDaoImpl from loading the authorities you could set the "enableAuthorities" property to false.

But unfortunately, the initDao method asserts that either enableAuthorities is true, or enableGroups is true.

So in your implementation you should also override the initDao method: (i just removed the assertion)

Code:

   protected void initDao() throws ApplicationContextException {
        initMappingSqlQueries();
    }

this gives you:

Code:

public class jdbcDaoImplExtended extends JdbcDaoImpl{

protected void initDao() throws ApplicationContextException {
initMappingSqlQueries();
}
protected void addCustomAuthorities(String username, List authorities) {
authorities.add(new GrantedAuthorityImpl("ROLE_CUSTOMER"));
}
}

and then you add the following property to your configuration:

Code:

<b:property name="enableAuthorities">
            <b:value>false</b:value>
 </b:property>

Regards

**michel** · Jul 2nd, 2009, 02:34 AM

thx for your great helpand the examples.

i implements the code you give. but the function initMappingSqlQueries();
is not longer a protected function because he is not available in

org.springframework.security.userdetails.jdbc.Jdbc DaoImpl

without the override function initDao i get actually the error message:

Use of either authorities or groups must be enabled.

so you are right with that.

do you have a idea to bypass this check on a other way or a way how i can user the private function initMappingSqlQueries();

for the moment i make my own JdbcDaoImpl class. but i think there must be a smarter way.

thx again

p.s. Do you know the reason why they make initMappingSqlQueries private?

**davymeers** · Jul 2nd, 2009, 03:37 AM

mmm, i don't know.

But you could try a sort of sql trick:

in mssql i can do:

Code:

SELECT login AS username, 'ROLE_CUSTOMER' AS authority FROM users WHERE login = ?

So you could try the following definition:

Code:

<b:bean id="authenticationDao2" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl" >
        <b:property name="dataSource"><b:ref bean="dataSource"/></b:property>
        <b:property name="usersByUsernameQuery">
            <b:value>select login, password, 1 from users where login = ?</b:value>
        </b:property>
        <b:property name="authoritiesByUsernameQuery">
            <b:value>SELECT login AS username, 'ROLE_CUSTOMER' AS authority FROM users WHERE login = ?</b:value>
        </b:property>
</b:bean>

another option is to override the method loadUserAuthorities and return an empty list.

**michel** · Jul 2nd, 2009, 07:55 AM

mm that is also an idea.

but i hold it by my own solution. so i can set some more things in the xml

but thanks a lot for your quick response. you safeted my day

Thread: Fixed role by userDetailsService

Thread Tools

Display

Fixed role by userDetailsService

Tags for this Thread

Posting Permissions