While users log into applications to access secure resources, the user's principle needs to be authenticated and authorized. The authentication provider helps in authenticating users in Spring Security. If a user is successfully authenticated by the authentication provider, then only the user will able to log into the web application, otherwise, the user will not be able to log into the application.
There are multiples of ways supported by Spring Security to authenticate users, such as a built-in provider with a built-in XML element, or authenticate user against a user repository (relational database or LDAP repository) storing user details. Spring Security also supports algorithms (MD5 and SHA) for password encryption.
If there are only few users for your application with infrequent modification in their details, then you can define user details in Spring Security's configuration file instead of extracting information from the persistence engine, so that their details are loaded into your application's memory, as shown here:
<authentication-manager> <authentication-provider> <user-service> <user name="admin" password="adminpassword" authorities="ROLE_ADMIN" /> <user name="ravisoni" password="mypassword" authorities="ROLE_USER" /> <user name="user" password="mypassword" disabled="true" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>
The user's details can be defined in <user-service>
with multiple <user>
elements. For each user, a username, password, disabled status, and a set of granted authority can be specified, as shown in the previous code snippet. The disabled user indicates that the user cannot log into system anymore.
The user details can also be externalized by keeping them in the properties file (for instance, /WEB-INF/usersinfo.properties
):
<authentication-manager> <authentication-provider> <user-service properties="/WEB-INF/usersinfo.properties" /> </authentication-provider> </authentication-manager>
Next, we will see the specified properties file containing user details in the form of properties, where each property represents the user's details. In this property file, the key of the property represents the username, while the property value is divided into several parts separated by commas. The first part represents the password and the second part represents the user's enable status (this is optional with the default status is enabled), and the remaining parts represent authority granted to the user.
The /WEB-INF/usersinfo.properties
file is as follows:
admin=adminpassword,ROLE_ADMIN ravisoni=mypassword,ROLE_USER user=mypassword,disabled,ROLE_USER
If you have a huge list of users in your application and you frequently modify their details, you should consider storing the user details in a database for easy maintenance. Spring Security provides built-in support to query user details from the database.
In order to perform authentication against database, tables need to be created to store users and their roles details. Refer to http://docs.spring.io/spring-security/site/docs/3.2.3.RELEASE/reference/htmlsingle/#user-schema for more details on user schema.
The USER_AUTHENTICATION
table is used to authenticate the user and contains the following columns.
The script is as follows:
CREATE TABLE USER_AUTHENTICATION ( USERNAME VARCHAR(45) NOT NULL , PASSWORD VARCHAR(45) NOT NULL , ENABLED SMALLINT NOT NULL DEFAULT 1, PRIMARY KEY (USERNAME) );
The table structure is as follows:
Username |
Password |
Enabled |
---|---|---|
|
|
|
|
|
|
|
|
|
The USER_ AUTHORIZATION
table is used to authorize the user and contains the following columns.
The script is as follows:
CREATE TABLE USER_ AUTHORIZATION ( USERNAME VARCHAR(45) NOT NULL, AUTHORITY VARCHAR(45) NOT NULL, FOREIGN KEY (USERNAME) REFERENCES USERS );
The table is as follows:
Username |
Authority |
---|---|
|
|
|
|
|
|
Now, dataSource
has to be declared in the Spring configuration file to allow Spring Security to access these tables, which will help in creating a connection to the database, as shown here:
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName" value="org.apache.derby.jdbc.ClientDriver" /> <property name="url" value="jdbc:derby://localhost:1527/test;create=true" /> <property name="username" value="root" /> <property name="password" value="password" /> </bean>
Then, configure the authentication provider using the <jdbc-user-service>
element that queries this database. Specify the query statement to get the user's information and authority in the user-by-username-query
and authorities-by-username-query
attributes, as follows:
<authentication-manager> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" user-by-username-query= "select username, password, enabled from user_authentication where username=?" authorities-by-username-query= "select username, authority from user_authorization where username =? " /> </authentication-provider> </authentication-manager>
Spring Security supports some hashing algorithms, such as MD5
(Md5PasswordEncoder
), SHA
(ShaPasswordEncoder
), and BCrypt
(BCryptPasswordEncoder
) for password encryption.
To enable the password encoder, use the <password-encoder/>
element and set the hash attribute, as follows:
<authentication-manager> <authentication-provider> <password-encoder hash="md5" /> <jdbc-user-service data-source-ref="dataSource" . . . </authentication-provider> </authentication-manager>