Customized login using JDBC

[ledais0802]

Hi there,

i m pretty new to Spring Security, got some stupid questions.

with the in memory authentication, it works fine. i then tried JDBC, got a bit confused.

here's my applicationContext-security.xml snippet

Code:

    
    <beans:bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
        <beans:property name="driverClassName" value="com.mysql.jdbc.Driver"/>
        <beans:property name="url" value="jdbc:mysql://localhost:3306/transact"/>
        <beans:property name="username" value="usern"/>
        <beans:property name="password" value="pass"/>
    </beans:bean>
    
    <beans:bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
        <beans:property name="dataSource" ref="dataSource"/>
    </beans:bean>
.....
.....
<authentication-provider>
            <jdbc-user-service data-source-ref="dataSource" 
                users-by-username-query="select username, password, 1 as enabled from transact_user where username=?"/>
        </authentication-provider>

when i tried to login, it always threw an exception like "transact.users doesn't exist".

My question is if Spring Security JDBC authentication can only look for 'Users' table? Is there a way that i can use my own table name like in the example 'transact_user"?

i did a bit of research on this, it's saying that the query can only return 3 fields, username, password, and enabled, how can i get more user information if it's needed like user firstname, lastname etc.

on the other hand, i've been using implementing iBatis in my project, can i use iBatis with Spring Security authentication? and how to do it?

Thanks in advance, any help would be greatly appreciated!!

[Marten Deinum]

The problem is your configuration is wrong, you configure 2 jdbc dao's one by the namespace the other explictly... Why.. Simple remove your explicitly configured one..

[ledais0802]

Hi Marten, thanks for your reply. could you please be more specific? which is the explicit one? i guess you are talking about the 'userDetailsService', i've tried removing this bean configuration, but still didn't work. it looks like by default Spring Security Authentication is looking for table 'users' and 'authorities', can i use my table names?

Is there any way that i can invoke a Java class(with iBatis) to login?

[ledais0802]

Hi,

I found that i can customize UserDetailsService to have my own login logic, but not sure if it's the right approach. Here's my configuration below:

applicationContext-security.xml

Code:

    
    <authentication-manager>
        <authentication-provider user-service-ref = "userDetailsService" />
    </authentication-manager>
    
    
    <beans:bean id = "userDetailsService" class = "com.test.security.authentication.MyUserService" />

MyUserService.java

Code:

public class MyUserService implements UserDetailsService{

	@Override
	public UserDetails loadUserByUsername(String username)
			throws UsernameNotFoundException, DataAccessException {
		
		try{
			TransactUserExample exa = new TransactUserExample();
			exa.createCriteria().andUsernameEqualTo(username);
			
/** get DAO from context, this is actually done via Spring-2.0 context.getBean("userDao")**/
			List<TransactUser> users = TransactInitServlet.getUserDAO().selectByExample(exa);
			
			if(users.size() == 1) {
				TransactUser u = users.get(0);
				GrantedAuthorityImpl auth = new GrantedAuthorityImpl(u.getRole());
				User user = new User(u.getUsername(), 
						u.getPassword(), true, true, true, true, getAuthorities(true));
			}
		} catch(Exception ex) {
			ex.printStackTrace();
		}
		return null;
	}
	
	private GrantedAuthority[] getAuthorities(boolean isAdmin) {
        List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2);
        authList.add(new GrantedAuthorityImpl("ROLE_USER"));
        if (isAdmin) {
            authList.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
        }
        return authList.toArray(new GrantedAuthority[] {});
    }

}

is this the right way of doing it? i can login by implementing this with iBatis + MySQL + Spring-2.0, how can i get all user details, like firstname, lastname, email etc. once successfully logged in?

Thanks!

[Marten Deinum]

Simply let your user class implement UserDetails (you don't have to use the spring security User class). That way you have everything you need...

Also your implementation is wrong, you can never return null, in that case throw a UsernameNotFoundException (I suggest you read the javadocs of the UserDetailsService ).

[J2010]

ledais0802,

In your MyUserService implementation, you can custom SQL to select extra fields (firstname,lastname,title ...) you want besides username/password etc that spring login requests. You can do whatever you want with extra fields firstname ....

[ledais0802]

Thanks guys!

Marten, yes the way of returning a null value is really not a good idea, i'll change it to throw an exception. and implementing UserDetails to get extra info is really what i need i guess.

J2010, thanks for the hints, i was confused about it, but now feel much better