Spring Security Implementing Custom UserDetails with Hibernate

Ioannis DadisAugust 13th, 2012Last Updated: October 22nd, 2012

4 680 8 minutes read

Most of the time, we will want to configure our own security access roles in web applications. This is easily achieved in Spring Security. In this article we will see the most simple way to do this.

First of all we will need the following tables in the database:

CREATE TABLE IF NOT EXISTS `mydb`.`security_role` (
 
`id` INT(11) NOT NULL AUTO_INCREMENT ,
 
`name` VARCHAR(50) NULL DEFAULT NULL ,
 
PRIMARY KEY (`id`) )
 
ENGINE = InnoDB
 
AUTO_INCREMENT = 4
 
DEFAULT CHARACTER SET = latin1;
 
CREATE TABLE IF NOT EXISTS `mydb`.`user` (
 
`id` INT(11) NOT NULL AUTO_INCREMENT ,
 
`first_name` VARCHAR(45) NULL DEFAULT NULL ,
 
`family_name` VARCHAR(45) NULL DEFAULT NULL ,
 
`dob` DATE NULL DEFAULT NULL ,
 
`password` VARCHAR(45) NOT NULL ,
 
`username` VARCHAR(45) NOT NULL ,
 
`confirm_password` VARCHAR(45) NOT NULL ,
 
`active` TINYINT(1) NOT NULL ,
 
PRIMARY KEY (`id`) ,
 
UNIQUE INDEX `username` (`username` ASC) )
 
ENGINE = InnoDB
 
AUTO_INCREMENT = 9
 
DEFAULT CHARACTER SET = latin1;
 
CREATE TABLE IF NOT EXISTS `mydb`.`user_security_role` (
 
`user_id` INT(11) NOT NULL ,
 
`security_role_id` INT(11) NOT NULL ,
 
PRIMARY KEY (`user_id`, `security_role_id`) ,
 
INDEX `security_role_id` (`security_role_id` ASC) ,
 
CONSTRAINT `user_security_role_ibfk_1`
 
FOREIGN KEY (`user_id` )
 
REFERENCES `mydb`.`user` (`id` ),
 
CONSTRAINT `user_security_role_ibfk_2`
 
FOREIGN KEY (`security_role_id` )
 
REFERENCES `mydb`.`security_role` (`id` ))
 
ENGINE = InnoDB
 
DEFAULT CHARACTER SET = latin1;

Obviously, the table user will hold users, table security_role will hold security roles and user_security_roles will hold the association. In order for the implementation to be as simple as possible, entries inside the security_role table should always start with “ROLE_”, otherwise we will need to encapsulate (this will NOT be covered in this article).

So we execute the following statements:

insert into security_role(name) values ('ROLE_admin');
 
insert into security_role(name) values ('ROLE_Kennel_Owner');
 
insert into security_role(name) values ('ROLE_User');
 
insert into user (first_name,family_name,password,username,confirm_password,active)
 
values ('ioannis','ntantis','123456','giannisapi','123456',1);
 
insert into user_security_role (user_id,security_role_id) values (1,1);

So after those commands we have the following:

Three different security roles

One user with username “giannisapi”

We have give the role “ROLE_admin” to user “giannisapi”

Now that everything is completed on the database side, we will move to the java side to see what needs to be done.

First we will create the necessary DTO (there are various tools that will automatically generate DTO’s from the database for you):

package org.intan.pedigree.form;
 
import java.io.Serializable;
 
import java.util.Collection;
 
import java.util.Date;
 
import java.util.Set;
 
import javax.persistence.Basic;
 
import javax.persistence.Column;
 
import javax.persistence.Entity;
 
import javax.persistence.GeneratedValue;
 
import javax.persistence.GenerationType;
 
import javax.persistence.Id;
 
import javax.persistence.JoinColumn;
 
import javax.persistence.JoinTable;
 
import javax.persistence.ManyToMany;
 
import javax.persistence.NamedQueries;
 
import javax.persistence.NamedQuery;
 
import javax.persistence.Table;
 
import javax.persistence.Temporal;
 
import javax.persistence.TemporalType;
 
/**
 
*
 
* @author intan
 
*/
 
@Entity
 
@Table(name = 'user', catalog = 'mydb', schema = '')
 
@NamedQueries({
 
@NamedQuery(name = 'UserEntity.findAll', query = 'SELECT u FROM UserEntity u'),
 
@NamedQuery(name = 'UserEntity.findById', query = 'SELECT u FROM UserEntity u WHERE u.id = :id'),
 
@NamedQuery(name = 'UserEntity.findByFirstName', query = 'SELECT u FROM UserEntity u WHERE u.firstName = :firstName'),
 
@NamedQuery(name = 'UserEntity.findByFamilyName', query = 'SELECT u FROM UserEntity u WHERE u.familyName = :familyName'),
 
@NamedQuery(name = 'UserEntity.findByDob', query = 'SELECT u FROM UserEntity u WHERE u.dob = :dob'),
 
@NamedQuery(name = 'UserEntity.findByPassword', query = 'SELECT u FROM UserEntity u WHERE u.password = :password'),
 
@NamedQuery(name = 'UserEntity.findByUsername', query = 'SELECT u FROM UserEntity u WHERE u.username = :username'),
 
@NamedQuery(name = 'UserEntity.findByConfirmPassword', query = 'SELECT u FROM UserEntity u WHERE u.confirmPassword = :confirmPassword'),
 
@NamedQuery(name = 'UserEntity.findByActive', query = 'SELECT u FROM UserEntity u WHERE u.active = :active')})
 
public class UserEntity implements Serializable {
 
private static final long serialVersionUID = 1L;
 
@Id
 
@GeneratedValue(strategy = GenerationType.IDENTITY)
 
@Basic(optional = false)
 
@Column(name = 'id')
 
private Integer id;
 
@Column(name = 'first_name')
 
private String firstName;
 
@Column(name = 'family_name')
 
private String familyName;
 
@Column(name = 'dob')
 
@Temporal(TemporalType.DATE)
 
private Date dob;
 
@Basic(optional = false)
 
@Column(name = 'password')
 
private String password;
 
@Basic(optional = false)
 
@Column(name = 'username')
 
private String username;
 
@Basic(optional = false)
 
@Column(name = 'confirm_password')
 
private String confirmPassword;
 
@Basic(optional = false)
 
@Column(name = 'active')
 
private boolean active;
 
@JoinTable(name = 'user_security_role', joinColumns = {
 
@JoinColumn(name = 'user_id', referencedColumnName = 'id')}, inverseJoinColumns = {
 
@JoinColumn(name = 'security_role_id', referencedColumnName = 'id')})
 
@ManyToMany
 
private Set securityRoleCollection;
 
public UserEntity() {
 
}
 
public UserEntity(Integer id) {
 
this.id = id;
 
}
 
public UserEntity(Integer id, String password, String username, String confirmPassword, boolean active) {
 
this.id = id;
 
this.password = password;
 
this.username = username;
 
this.confirmPassword = confirmPassword;
 
this.active = active;
 
}
 
public Integer getId() {
 
return id;
 
}
 
public void setId(Integer id) {
 
this.id = id;
 
}
 
public String getFirstName() {
 
return firstName;
 
}
 
public void setFirstName(String firstName) {
 
this.firstName = firstName;
 
}
 
public String getFamilyName() {
 
return familyName;
 
}
 
public void setFamilyName(String familyName) {
 
this.familyName = familyName;
 
}
 
public Date getDob() {
 
return dob;
 
}
 
public void setDob(Date dob) {
 
this.dob = dob;
 
}
 
public String getPassword() {
 
return password;
 
}
 
public void setPassword(String password) {
 
this.password = password;
 
}
 
public String getUsername() {
 
return username;
 
}
 
public void setUsername(String username) {
 
this.username = username;
 
}
 
public String getConfirmPassword() {
 
return confirmPassword;
 
}
 
public void setConfirmPassword(String confirmPassword) {
 
this.confirmPassword = confirmPassword;
 
}
 
public boolean getActive() {
 
return active;
 
}
 
public void setActive(boolean active) {
 
this.active = active;
 
}
 
public Set getSecurityRoleCollection() {
 
return securityRoleCollection;
 
}
 
public void setSecurityRoleCollection(Set securityRoleCollection) {
 
this.securityRoleCollection = securityRoleCollection;
 
}
 
@Override
 
public int hashCode() {
 
int hash = 0;
 
hash += (id != null ? id.hashCode() : 0);
 
return hash;
 
}
 
@Override
 
public boolean equals(Object object) {
 
// TODO: Warning - this method won't work in the case the id fields are not set
 
if (!(object instanceof UserEntity)) {
 
return false;
 
}
 
UserEntity other = (UserEntity) object;
 
if ((this.id == null && other.id != null) || (this.id != null && !this.id.equals(other.id))) {
 
return false;
 
}
 
return true;
 
}
 
@Override
 
public String toString() {
 
return 'org.intan.pedigree.form.User[id=' + id + ']';
 
}
 
}

package org.intan.pedigree.form;
 
import java.io.Serializable;
 
import java.util.Collection;
 
import javax.persistence.Basic;
 
import javax.persistence.Column;
 
import javax.persistence.Entity;
 
import javax.persistence.GeneratedValue;
 
import javax.persistence.GenerationType;
 
import javax.persistence.Id;
 
import javax.persistence.ManyToMany;
 
import javax.persistence.NamedQueries;
 
import javax.persistence.NamedQuery;
 
import javax.persistence.Table;
 
/**
 
*
 
* @author intan
 
*/
 
@Entity
 
@Table(name = 'security_role', catalog = 'mydb', schema = '')
 
@NamedQueries({
 
@NamedQuery(name = 'SecurityRoleEntity.findAll', query = 'SELECT s FROM SecurityRoleEntity s'),
 
@NamedQuery(name = 'SecurityRoleEntity.findById', query = 'SELECT s FROM SecurityRoleEntity s WHERE s.id = :id'),
 
@NamedQuery(name = 'SecurityRoleEntity.findByName', query = 'SELECT s FROM SecurityRoleEntity s WHERE s.name = :name')})
 
public class SecurityRoleEntity implements Serializable {
 
private static final long serialVersionUID = 1L;
 
@Id
 
@GeneratedValue(strategy = GenerationType.IDENTITY)
 
@Basic(optional = false)
 
@Column(name = 'id')
 
private Integer id;
 
@Column(name = 'name')
 
private String name;
 
@ManyToMany(mappedBy = 'securityRoleCollection')
 
private Collection userCollection;
 
public SecurityRoleEntity() {
 
}
 
public SecurityRoleEntity(Integer id) {
 
this.id = id;
 
}
 
public Integer getId() {
 
return id;
 
}
 
public void setId(Integer id) {
 
this.id = id;
 
}
 
public String getName() {
 
return name;
 
}
 
public void setName(String name) {
 
this.name = name;
 
}
 
public Collection getUserCollection() {
 
return userCollection;
 
}
 
public void setUserCollection(Collection userCollection) {
 
this.userCollection = userCollection;
 
}
 
@Override
 
public int hashCode() {
 
int hash = 0;
 
hash += (id != null ? id.hashCode() : 0);
 
return hash;
 
}
 
@Override
 
public boolean equals(Object object) {
 
// TODO: Warning - this method won't work in the case the id fields are not set
 
if (!(object instanceof SecurityRoleEntity)) {
 
return false;
 
}
 
SecurityRoleEntity other = (SecurityRoleEntity) object;
 
if ((this.id == null && other.id != null) || (this.id != null && !this.id.equals(other.id))) {
 
return false;
 
}
 
return true;
 
}
 
@Override
 
public String toString() {
 
return 'org.intan.pedigree.form.SecurityRole[id=' + id + ']';
 
}
 
}

Now that we have out DTO lets created the necessary DAO classes:

package org.intan.pedigree.dao;
 
import java.util.List;
 
import java.util.Set;
 
import org.hibernate.SessionFactory;
 
import org.intan.pedigree.form.SecurityRoleEntity;
 
import org.intan.pedigree.form.UserEntity;
 
import org.springframework.beans.factory.annotation.Autowired;
 
import org.springframework.stereotype.Repository;
 
@Repository
 
public class UserEntityDAOImpl implements UserEntityDAO{
 
@Autowired
 
private SessionFactory sessionFactory;
 
public void addUser(UserEntity user) {
 
try {
 
sessionFactory.getCurrentSession().save(user);
 
} catch (Exception e) {
 
System.out.println(e);
 
}
 
}
 
public UserEntity findByName(String username) {
 
UserEntity user = (UserEntity) sessionFactory.getCurrentSession().createQuery(
 
'select u from UserEntity u where u.username = '' + username + ''').uniqueResult();
 
return user;
 
}
 
public UserEntity getUserByID(Integer id) {
 
UserEntity user = (UserEntity) sessionFactory.getCurrentSession().createQuery(
 
'select u from UserEntity u where id = '' + id + ''').uniqueResult();
 
return user;
 
}
 
public String activateUser(Integer id) {
 
String hql = 'update UserEntityset active = :active where id = :id';
 
org.hibernate.Query query = sessionFactory.getCurrentSession().createQuery(hql);
 
query.setString('active','Y');
 
query.setInteger('id',id);
 
int rowCount = query.executeUpdate();
 
System.out.println('Rows affected: ' + rowCount);
 
return '';
 
}
 
public String disableUser(Integer id) {
 
String hql = 'update UserEntity set active = :active where id = :id';
 
org.hibernate.Query query = sessionFactory.getCurrentSession().createQuery(hql);
 
query.setInteger('active',0);
 
query.setInteger('id',id);
 
int rowCount = query.executeUpdate();
 
System.out.println('Rows affected: ' + rowCount);
 
return '';
 
}
 
public void updateUser(UserEntity user) {
 
try {
 
sessionFactory.getCurrentSession().update(user);
 
} catch (Exception e) {
 
System.out.println(e);
 
}
 
}
 
public List listUser() {
 
return sessionFactory.getCurrentSession().createQuery('from UserEntity')
 
.list();
 
}
 
public void removeUser(Integer id) {
 
UserEntity user = (UserEntity) sessionFactory.getCurrentSession().load(
 
UserEntity.class, id);
 
if (null != user) {
 
sessionFactory.getCurrentSession().delete(user);
 
}
 
}
 
public Set getSecurityRolesForUsername(String username) {
 
UserEntity user = (UserEntity) sessionFactory.getCurrentSession().createQuery(
 
'select u from UserEntity u where u.username = '' + username + ''').uniqueResult();
 
if (user!= null) {
 
Set roles = (Set) user.getSecurityRoleCollection();
 
if (roles != null && roles.size() > 0) {
 
return roles;
 
}
 
}
 
return null;
 
}
 
}

package org.intan.pedigree.dao;
 
import java.util.List;
 
import org.hibernate.Criteria;
 
import org.hibernate.SessionFactory;
 
import org.hibernate.criterion.Restrictions;
 
import org.intan.pedigree.form.Country;
 
import org.intan.pedigree.form.Kennel;
 
import org.intan.pedigree.form.SecurityRoleEntity;
 
import org.springframework.beans.factory.annotation.Autowired;
 
import org.springframework.stereotype.Repository;
 
@Repository
 
public class SecurityRoleEntityDAOImpl implements SecurityRoleEntityDAO{
 
@Autowired
 
private SessionFactory sessionFactory;
 
public void addSecurityRoleEntity(SecurityRoleEntity securityRoleEntity) {
 
try {
 
sessionFactory.getCurrentSession().save(securityRoleEntity);
 
} catch (Exception e) {
 
System.out.println(e);
 
}
 
}
 
public List listSecurityRoleEntity() {
 
Criteria criteria = sessionFactory.getCurrentSession().createCriteria(SecurityRoleEntity.class);
 
criteria.add(Restrictions.ne('name','ROLE_ADMIN' ));
 
return criteria.list();
 
}
 
public SecurityRoleEntity getSecurityRoleEntityById(Integer id) {
 
Criteria criteria = sessionFactory.getCurrentSession().createCriteria(SecurityRoleEntity.class);
 
criteria.add(Restrictions.eq('id',id));
 
return (SecurityRoleEntity) criteria.uniqueResult();
 
}
 
public void removeSecurityRoleEntity(Integer id) {
 
SecurityRoleEntity securityRoleEntity = (SecurityRoleEntity) sessionFactory.getCurrentSession().load(
 
SecurityRoleEntity.class, id);
 
if (null != securityRoleEntity) {
 
sessionFactory.getCurrentSession().delete(securityRoleEntity);
 
}
 
}
 
}

Now we will create the service layer for the above DAO’s.

package org.intan.pedigree.service;
 
import java.util.List;
 
import org.intan.pedigree.dao.SecurityRoleEntityDAO;
 
import org.intan.pedigree.form.SecurityRoleEntity;
 
import org.springframework.beans.factory.annotation.Autowired;
 
import org.springframework.stereotype.Service;
 
import org.springframework.transaction.annotation.Transactional;
 
@Service
 
public class SecurityRoleEntityServiceImpl implements SecurityRoleEntityService{
 
@Autowired
 
private SecurityRoleEntityDAO securityRoleEntityDAO;
 
@Transactional
 
public void addSecurityRoleEntity(SecurityRoleEntity securityRoleEntity) {
 
securityRoleEntityDAO.addSecurityRoleEntity(securityRoleEntity);
 
}
 
@Transactional
 
public List listSecurityRoleEntity() {
 
return securityRoleEntityDAO.listSecurityRoleEntity();
 
}
 
@Transactional
 
public void removeSecurityRoleEntity(Integer id) {
 
securityRoleEntityDAO.removeSecurityRoleEntity(id);
 
}
 
@Transactional
 
public SecurityRoleEntity getSecurityRoleEntityById(Integer id) {
 
return securityRoleEntityDAO.getSecurityRoleEntityById( id);
 
}
 
}

In the Service layer of UserDetails below, pay attention that it implements UserDetailsService from org.springframework.security.core.userdetails.UserDetailsService.

package org.intan.pedigree.service;
 
import org.intan.pedigree.dao.UserEntityDAO;
 
import org.intan.pedigree.dao.UserEntityDAO;
 
import org.intan.pedigree.form.UserEntity;
 
import org.springframework.beans.factory.annotation.Autowired;
 
import org.springframework.dao.DataAccessException;
 
import org.springframework.stereotype.Service;
 
import org.springframework.transaction.annotation.Transactional;
 
import org.springframework.security.core.userdetails.User;
 
import org.springframework.security.core.userdetails.UserDetails;
 
import org.springframework.security.core.userdetails.UserDetailsService;
 
import org.springframework.security.core.userdetails.UsernameNotFoundException;
 
@Service('userDetailsService')
 
public class UserDetailsServiceImpl implements UserDetailsService {
 
@Autowired
 
private UserEntityDAO dao;
 
@Autowired
 
private Assembler assembler;
 
@Transactional(readOnly = true)
 
public UserDetails loadUserByUsername(String username)
 
throws UsernameNotFoundException, DataAccessException {
 
UserDetails userDetails = null;
 
UserEntity userEntity = dao.findByName(username);
 
if (userEntity == null)
 
throw new UsernameNotFoundException('user not found');
 
return assembler.buildUserFromUserEntity(userEntity);
 
}
 
}

You also see above, that the loadUserByUsername methods return the result of the assembler.buildUserFromUserEntity . Simply put, what this method of the assembler does is to to construct a org.springframework.security.core.userdetails.User object from the given UserEntity DTO. The code of the Assembler class is given below:

package org.intan.pedigree.service;
 
import java.util.ArrayList;
 
import java.util.Collection;
 
import org.intan.pedigree.form.SecurityRoleEntity;
 
import org.intan.pedigree.form.UserEntity;
 
import org.springframework.security.core.GrantedAuthority;
 
import org.springframework.security.core.authority.GrantedAuthorityImpl;
 
import org.springframework.security.core.userdetails.User;
 
import org.springframework.stereotype.Service;
 
import org.springframework.transaction.annotation.Transactional;
 
@Service('assembler')
 
public class Assembler {
 
@Transactional(readOnly = true)
 
User buildUserFromUserEntity(UserEntity userEntity) {
 
String username = userEntity.getUsername();
 
String password = userEntity.getPassword();
 
boolean enabled = userEntity.getActive();
 
boolean accountNonExpired = userEntity.getActive();
 
boolean credentialsNonExpired = userEntity.getActive();
 
boolean accountNonLocked = userEntity.getActive();
 
Collection authorities = new ArrayList();
 
for (SecurityRoleEntity role : userEntity.getSecurityRoleCollection()) {
 
authorities.add(new GrantedAuthorityImpl(role.getName()));
 
}
 
User user = new User(username, password, enabled,
 
accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
 
return user;
 
}
 
}

The only thing that remain to be done now is to define what is necessary in the applicationContext-Security.xml. For this create a new xml file called “applicationContext-Security.xml” with the following contents:

<?xml version='1.0' encoding='UTF-8'?>
<beans:beans xmlns='http://www.springframework.org/schema/security'
 xmlns:beans='http://www.springframework.org/schema/beans'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
  xmlns:context='http://www.springframework.org/schema/context'
 xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
      http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd'>
  
  
  
  
 <beans:bean id='userDetailsService' class='org.intan.pedigree.service.UserDetailsServiceImpl'></beans:bean>
 <context:component-scan base-package='org.intan.pedigree' />
  
 <http auto-config='true'>
  <intercept-url pattern='/admin/**' access='ROLE_ADMIN' />
  <intercept-url pattern='/user/**' access='ROLE_REGISTERED_USER' />
  <intercept-url pattern='/kennel/**' access='ROLE_KENNEL_OWNER' />
  <!-- <security:intercept-url pattern='/login.jsp' access='IS_AUTHENTICATED_ANONYMOUSLY' />  -->
 </http>
 
  <beans:bean id='daoAuthenticationProvider'
  class='org.springframework.security.authentication.dao.DaoAuthenticationProvider'>
  <beans:property name='userDetailsService' ref='userDetailsService' />
 </beans:bean>
 
 <beans:bean id='authenticationManager'
  class='org.springframework.security.authentication.ProviderManager'>
  <beans:property name='providers'>
   <beans:list>
    <beans:ref local='daoAuthenticationProvider' />
   </beans:list>
  </beans:property>
 </beans:bean>
 
 <authentication-manager>
  <authentication-provider user-service-ref='userDetailsService'>
   <password-encoder hash='plaintext' />
  </authentication-provider>
 </authentication-manager>
 
 
</beans:beans>

In your web.xml put the following code in order to load the applicationContext-security.xml file.

<context-param>
 <param-name>contextConfigLocation</param-name>
 <param-value>/WEB-INF/applicationContext-hibernate.xml
     /WEB-INF/applicationContext-security.xml
 </param-value>
</context-param>

Last of all, excuse any typing mistakes etc, as this code is just copy and paste from personal work that I have done, if something does not work please post the question and I will be more than happy to assist you.

Reference: Spring 3, Spring Security Implementing Custom UserDetails with Hibernate from our JCG partner Ioannis Dadis at the Giannisapi blog.