23

I tried searching in Google, but I could not find any good examples where a username and password are checked with a database for authentication purposes.

In further simple words, how can I create a simple login form using Spring and Hibernate where the credentials are checked with the database.

Update

Cam anyone come up with a simple example where I can see how the flow goes and how the input data is passed to hibernate?

skaffman
  • 398,947
  • 96
  • 818
  • 769
Thalaivar
  • 23,282
  • 5
  • 60
  • 71
  • Have a look at this stackoverflow question, it has an example in the accepted answer: http://stackoverflow.com/questions/2683308/spring-security-3-database-authentication-with-hibernate – Javi Jan 18 '11 at 12:49
  • Are you talking about Spring 3.0 and Spring Security 3 or Spring 2.5 and Spring Security 2? – Ralph Jan 21 '11 at 08:04
  • Well Spring 3.0 and Spring Security 3 – Thalaivar Jan 24 '11 at 07:25

4 Answers4

27

At first you should define this file WEB-INF/spring/serurity-context.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                                 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

    <http auto-config="true" />

    <beans:bean id="myUserService" class="org.my.UserService" />
    <authentication-provider user-service-ref="myUserService" />

</beans:beans>

Now you should create org.my.UserService class and implement interface org.springframework.security.core.userdetails.UserDetailsService. This interface has one method:

UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, org.springframework.dao.DataAccessException

And in this method you can use Hibernate in order to load user by userName. If user does not exists - just throw UsernameNotFoundException, otherwise return new intialized UserDetails instance (there you can provide a lot of stuff like user roles, account expiration date, etc...).

Now comes web.xml:

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         version="2.5">

    <display-name>My Webapp</display-name>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring/*-context.xml
        </param-value>
    </context-param>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>

</web-app>

If you have any questions or something goes wrong, feel free to ask :)

PS: So with UserDetailsService you don't have to check password of whether user account is active, etc. You just provide spring-security information about user with provided userName and framework validates user itself. If you encode your passwords with MD5 for example, than you can use password-encoder like this:

<beans:bean id="myUserService" class="org.my.UserService" />
<authentication-provider user-service-ref="myUserService">
    <password-encoder hash="md5"/>
</authentication-provider>

Update

Now we will dive more deeper in UserService - my (simplified) real world example.

UserService class:

import org.my_company.my_app.domain.User

public class UserService implements UserDetailsService {
    private UserDao userDao;

    public void setUserDao(UserDao userDao) {
        this.userDao = userDao;
    }

    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
        // load user
        User user = userDao.getUser(username);

        if (user != null) {

            // convert roles
            List<GrantedAuthority> roles = new ArrayList<GrantedAuthority>();
            for (Privilege p : user.getPrivileges()) {
                roles.add(new GrantedAuthorityImpl(p.getName()));
            }

            // initialize user
            SecurityUser securityUser = new SecurityUser(
                user.getUsername(),
                user.getLdapAuth() ? getLdapPassword(user.getUsername()) : user.getPassword(),
                user.getStatus() != User.Status.NOT_COMMITED, user.getStatus() != User.Status.BLOCKED, true, true,
                roles.toArray(new GrantedAuthority[0])
            );

            securityUser.setUser(user);

            return securityUser;
        } else {
            throw new UsernameNotFoundException("No user with username '" + username + "' found!");
        }
    }
}

Now SecurityUser:

import org.my_company.my_app.domain.User

public class SecurityUser extends org.springframework.security.core.userdetails.User {

    private User user;

    public User getUser() {
        return user;
    }

    public void setUser(User user) {
        this.user = user;
    }

    public SecurityUser(String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, GrantedAuthority[] authorities) throws IllegalArgumentException {
        super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
    }
}

And finally UserDao:

import org.my_company.my_app.domain.User

public class UserDao extends HibernateDaoSupport {

    public User getUser(String username) {
        List users = getHibernateTemplate().find("from User where username = ?", username);
        return users == null || users.size() <= 0 ? null : (User) users.get(0);
    }
}

As you can see I used HibernateTemplate here.

tenshi
  • 26,268
  • 8
  • 76
  • 90
  • @Easy Angel, I know this is old, but I'm confused about the Entities when using Hibernate. In your example, does hibernate automatically detect the User and Role entities in the `org.springframework.security.core.userdetails` package and create the corresponding tables? – Ali Aug 15 '11 at 13:05
  • @Ali: I wonder, what makes you believe in such thing? In order to use these classes Hibernate needs at least know how to map them in DB (either via annotations or XML mappings). Then you need to tell Hibernate explicitly where to look for mappings/persistent classes. In my example I created my own `User` class, that is not related to `org.springframework.security.core.userdetails.User`. – tenshi Aug 15 '11 at 15:47
  • and that was `SecurityUser` which extended `User` right? Or was it an other Entity called `User`? Confusion is that in your `UserDao` your query is `from User ...` where as the only mention of the User object is the one in the spring security package. – Ali Aug 15 '11 at 19:44
  • @Ali: I added some imports to make it clear. So Hibernate knows only about `org.my_company.my_app.domain.User`. And this actually the reason why I used fully qualified name for `org.springframework.security.core.userdetails.User` in `SecurityUser` class (to avoid name conflict, but without this import it's hard to guess :). Hope this makes it clear now. – tenshi Aug 15 '11 at 20:09
  • Thanks, I'll try to implement this again later on tonight. I'm assuming your `User` implements `User Details`? And that you have something like a `Roles` Entity that implements `GrantedAuthorities`? – Ali Aug 15 '11 at 20:20
  • @Ali: Normally I create `User`, `Privilege`, `Group` and `Role` entity classes in my projects. These classes would be saved in DB and managed by Hibernate. Spring Security's model is much simpler, and I just adapt my model to the spring security's model. `SecurityUser` serves as integration point between these two models in this example. – tenshi Aug 15 '11 at 20:27
  • Can i use @PreAuthorize for methods by using this code? – Prasanna Kumar H A Feb 16 '16 at 08:47
5

The basic xml-configuration you can see in the post of "Easy Angle". The part he mentioned as "myUserService" is a bean that implements "UserDetailService" That one has basically just one method to implement which is the following

public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException, DataAccessException

If you use Spring, then you'll probably have a Bean, that handles the access to your User-Table. That one you can just inject into that class to retrieve User details, like:

    @Override
    public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException, DataAccessException {

        UserTable user = userbean.getUserbyName(name);
        if (user == null) {
            throw new UsernameNotFoundException("User " + name + " not found!");
        }
        Collection<GrantedAuthority> auth = getAuthorities(user.getAuthorities());
        return new User(user.getName(), user.getPassword(), true, true, true, true, auth);
    }

Now in an authentication bean all you need is to inject this bean and ask it for the UserDetails. There you can use it to check if the credentials are correct and if so fill the SecurityContext with the needed information in order to be logged in.

    @Override
    public Boolean authenticate(String username, String password) {
        UserDetails userdetail = null;
        try {
            userdetail = myUserService.loadUserByUsername(username);
        } catch (UsernameNotFoundException e) {
            return false;
        } catch (DataAccessException e) {
            return false;
        }
        if (!myUserService.encodePassword(password).equals(userdetail.getPassword())) {
            return false;
        }

        Authentication auth = new UsernamePasswordAuthenticationToken(userdetail.getUsername(), userdetail.getPassword(),
                userdetail.getAuthorities());
        SecurityContext sc = new SecurityContextImpl();

        ServletRequestAttributes attr = (ServletRequestAttributes)RequestContextHolder.currentRequestAttributes();
        attr.getRequest().getSession().setAttribute(UsernamePasswordAuthenticationFilter.SPRING_SECURITY_LAST_USERNAME_KEY, userdetail.getUsername());

        sc.setAuthentication(auth);
        SecurityContextHolder.setContext(sc);

        return true;
    }

Of course thats a simplified version of the real one. There are way more checks that you have to perform prior to say that the user is authenticated (SQLInjection for instance)

Hons
  • 3,804
  • 3
  • 32
  • 50
3

App-fuse will give you a full working example: http://appfuse.org/display/APF/AppFuse+QuickStart

Or if you have maven installed simply run:

mvn archetype:generate -B -DarchetypeGroupId=org.appfuse.archetypes -DarchetypeArtifactId=appfuse-light-spring-security-archetype -DarchetypeVersion=2.1.0-M2 -DgroupId=com.mycompany -DartifactId=myproject

This will generate an appfuse light project with spring mvc, spring security and hibernate.

Pablojim
  • 8,542
  • 8
  • 45
  • 69
1

If you're using a database that can be accessed with JDBC then you don't need to create a custom authentication-provider. The authentication-provider already allows you to query the database directly. It'll reduce the required code to 9 lines of XML instead of a multitude of classes.

I've answered this here with code samples: Spring Security 3 database authentication with Hibernate

Community
  • 1
  • 1
Alessandro Giannone
  • 885
  • 1
  • 10
  • 27