Most of the time, we will want to configure our own security access roles in web applications. This is easily achieved in Spring Security. In this article we will see the most simple way to do this.
First of all we will need the following tables in the database:
CREATE TABLE IF NOT EXISTS `mydb`.`security_role` ( `id` INT(11) NOT NULL AUTO_INCREMENT , `name` VARCHAR(50) NULL DEFAULT NULL , PRIMARY KEY (`id`) ) ENGINE = InnoDB AUTO_INCREMENT = 4 DEFAULT CHARACTER SET = latin1; CREATE TABLE IF NOT EXISTS `mydb`.`user` ( `id` INT(11) NOT NULL AUTO_INCREMENT , `first_name` VARCHAR(45) NULL DEFAULT NULL , `family_name` VARCHAR(45) NULL DEFAULT NULL , `dob` DATE NULL DEFAULT NULL , `password` VARCHAR(45) NOT NULL , `username` VARCHAR(45) NOT NULL , `confirm_password` VARCHAR(45) NOT NULL , `active` TINYINT(1) NOT NULL , PRIMARY KEY (`id`) , UNIQUE INDEX `username` (`username` ASC) ) ENGINE = InnoDB AUTO_INCREMENT = 9 DEFAULT CHARACTER SET = latin1; CREATE TABLE IF NOT EXISTS `mydb`.`user_security_role` ( `user_id` INT(11) NOT NULL , `security_role_id` INT(11) NOT NULL , PRIMARY KEY (`user_id`, `security_role_id`) , INDEX `security_role_id` (`security_role_id` ASC) , CONSTRAINT `user_security_role_ibfk_1` FOREIGN KEY (`user_id` ) REFERENCES `mydb`.`user` (`id` ), CONSTRAINT `user_security_role_ibfk_2` FOREIGN KEY (`security_role_id` ) REFERENCES `mydb`.`security_role` (`id` )) ENGINE = InnoDB DEFAULT CHARACTER SET = latin1;
Obviously, the table user will hold users, table security_role will hold security roles and user_security_roles will hold the association. In order for the implementation to be as simple as possible, entries inside the security_role table should always start with “ROLE_”, otherwise we will need to encapsulate (this will NOT be covered in this article).
So we execute the following statements:
insert into security_role(name) values ('ROLE_admin');
insert into security_role(name) values ('ROLE_Kennel_Owner');
insert into security_role(name) values ('ROLE_User');
insert into user (first_name,family_name,password,username,confirm_password,active)
values ('ioannis','ntantis','123456','giannisapi','123456',1);
insert into user_security_role (user_id,security_role_id) values (1,1);So after those commands we have the following:
Three different security roles
One user with username “giannisapi”
We have give the role “ROLE_admin” to user “giannisapi”
Now that everything is completed on the database side, we will move to the java side to see what needs to be done.
First we will create the necessary DTO (there are various tools that will automatically generate DTO’s from the database for you):
package org.intan.pedigree.form;
import java.io.Serializable;
import java.util.Collection;
import java.util.Date;
import java.util.Set;
import javax.persistence.Basic;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.JoinColumn;
import javax.persistence.JoinTable;
import javax.persistence.ManyToMany;
import javax.persistence.NamedQueries;
import javax.persistence.NamedQuery;
import javax.persistence.Table;
import javax.persistence.Temporal;
import javax.persistence.TemporalType;
/**
*
* @author intan
*/
@Entity
@Table(name = 'user', catalog = 'mydb', schema = '')
@NamedQueries({
@NamedQuery(name = 'UserEntity.findAll', query = 'SELECT u FROM UserEntity u'),
@NamedQuery(name = 'UserEntity.findById', query = 'SELECT u FROM UserEntity u WHERE u.id = :id'),
@NamedQuery(name = 'UserEntity.findByFirstName', query = 'SELECT u FROM UserEntity u WHERE u.firstName = :firstName'),
@NamedQuery(name = 'UserEntity.findByFamilyName', query = 'SELECT u FROM UserEntity u WHERE u.familyName = :familyName'),
@NamedQuery(name = 'UserEntity.findByDob', query = 'SELECT u FROM UserEntity u WHERE u.dob = :dob'),
@NamedQuery(name = 'UserEntity.findByPassword', query = 'SELECT u FROM UserEntity u WHERE u.password = :password'),
@NamedQuery(name = 'UserEntity.findByUsername', query = 'SELECT u FROM UserEntity u WHERE u.username = :username'),
@NamedQuery(name = 'UserEntity.findByConfirmPassword', query = 'SELECT u FROM UserEntity u WHERE u.confirmPassword = :confirmPassword'),
@NamedQuery(name = 'UserEntity.findByActive', query = 'SELECT u FROM UserEntity u WHERE u.active = :active')})
public class UserEntity implements Serializable {
private static final long serialVersionUID = 1L;
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Basic(optional = false)
@Column(name = 'id')
private Integer id;
@Column(name = 'first_name')
private String firstName;
@Column(name = 'family_name')
private String familyName;
@Column(name = 'dob')
@Temporal(TemporalType.DATE)
private Date dob;
@Basic(optional = false)
@Column(name = 'password')
private String password;
@Basic(optional = false)
@Column(name = 'username')
private String username;
@Basic(optional = false)
@Column(name = 'confirm_password')
private String confirmPassword;
@Basic(optional = false)
@Column(name = 'active')
private boolean active;
@JoinTable(name = 'user_security_role', joinColumns = {
@JoinColumn(name = 'user_id', referencedColumnName = 'id')}, inverseJoinColumns = {
@JoinColumn(name = 'security_role_id', referencedColumnName = 'id')})
@ManyToMany
private Set securityRoleCollection;
public UserEntity() {
}
public UserEntity(Integer id) {
this.id = id;
}
public UserEntity(Integer id, String password, String username, String confirmPassword, boolean active) {
this.id = id;
this.password = password;
this.username = username;
this.confirmPassword = confirmPassword;
this.active = active;
}
public Integer getId() {
return id;
}
public void setId(Integer id) {
this.id = id;
}
public String getFirstName() {
return firstName;
}
public void setFirstName(String firstName) {
this.firstName = firstName;
}
public String getFamilyName() {
return familyName;
}
public void setFamilyName(String familyName) {
this.familyName = familyName;
}
public Date getDob() {
return dob;
}
public void setDob(Date dob) {
this.dob = dob;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getConfirmPassword() {
return confirmPassword;
}
public void setConfirmPassword(String confirmPassword) {
this.confirmPassword = confirmPassword;
}
public boolean getActive() {
return active;
}
public void setActive(boolean active) {
this.active = active;
}
public Set getSecurityRoleCollection() {
return securityRoleCollection;
}
public void setSecurityRoleCollection(Set securityRoleCollection) {
this.securityRoleCollection = securityRoleCollection;
}
@Override
public int hashCode() {
int hash = 0;
hash += (id != null ? id.hashCode() : 0);
return hash;
}
@Override
public boolean equals(Object object) {
// TODO: Warning - this method won't work in the case the id fields are not set
if (!(object instanceof UserEntity)) {
return false;
}
UserEntity other = (UserEntity) object;
if ((this.id == null && other.id != null) || (this.id != null && !this.id.equals(other.id))) {
return false;
}
return true;
}
@Override
public String toString() {
return 'org.intan.pedigree.form.User[id=' + id + ']';
}
}package org.intan.pedigree.form;
import java.io.Serializable;
import java.util.Collection;
import javax.persistence.Basic;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.ManyToMany;
import javax.persistence.NamedQueries;
import javax.persistence.NamedQuery;
import javax.persistence.Table;
/**
*
* @author intan
*/
@Entity
@Table(name = 'security_role', catalog = 'mydb', schema = '')
@NamedQueries({
@NamedQuery(name = 'SecurityRoleEntity.findAll', query = 'SELECT s FROM SecurityRoleEntity s'),
@NamedQuery(name = 'SecurityRoleEntity.findById', query = 'SELECT s FROM SecurityRoleEntity s WHERE s.id = :id'),
@NamedQuery(name = 'SecurityRoleEntity.findByName', query = 'SELECT s FROM SecurityRoleEntity s WHERE s.name = :name')})
public class SecurityRoleEntity implements Serializable {
private static final long serialVersionUID = 1L;
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Basic(optional = false)
@Column(name = 'id')
private Integer id;
@Column(name = 'name')
private String name;
@ManyToMany(mappedBy = 'securityRoleCollection')
private Collection userCollection;
public SecurityRoleEntity() {
}
public SecurityRoleEntity(Integer id) {
this.id = id;
}
public Integer getId() {
return id;
}
public void setId(Integer id) {
this.id = id;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public Collection getUserCollection() {
return userCollection;
}
public void setUserCollection(Collection userCollection) {
this.userCollection = userCollection;
}
@Override
public int hashCode() {
int hash = 0;
hash += (id != null ? id.hashCode() : 0);
return hash;
}
@Override
public boolean equals(Object object) {
// TODO: Warning - this method won't work in the case the id fields are not set
if (!(object instanceof SecurityRoleEntity)) {
return false;
}
SecurityRoleEntity other = (SecurityRoleEntity) object;
if ((this.id == null && other.id != null) || (this.id != null && !this.id.equals(other.id))) {
return false;
}
return true;
}
@Override
public String toString() {
return 'org.intan.pedigree.form.SecurityRole[id=' + id + ']';
}
}
Now that we have out DTO lets created the necessary DAO classes:
package org.intan.pedigree.dao;
import java.util.List;
import java.util.Set;
import org.hibernate.SessionFactory;
import org.intan.pedigree.form.SecurityRoleEntity;
import org.intan.pedigree.form.UserEntity;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Repository;
@Repository
public class UserEntityDAOImpl implements UserEntityDAO{
@Autowired
private SessionFactory sessionFactory;
public void addUser(UserEntity user) {
try {
sessionFactory.getCurrentSession().save(user);
} catch (Exception e) {
System.out.println(e);
}
}
public UserEntity findByName(String username) {
UserEntity user = (UserEntity) sessionFactory.getCurrentSession().createQuery(
'select u from UserEntity u where u.username = '' + username + ''').uniqueResult();
return user;
}
public UserEntity getUserByID(Integer id) {
UserEntity user = (UserEntity) sessionFactory.getCurrentSession().createQuery(
'select u from UserEntity u where id = '' + id + ''').uniqueResult();
return user;
}
public String activateUser(Integer id) {
String hql = 'update UserEntityset active = :active where id = :id';
org.hibernate.Query query = sessionFactory.getCurrentSession().createQuery(hql);
query.setString('active','Y');
query.setInteger('id',id);
int rowCount = query.executeUpdate();
System.out.println('Rows affected: ' + rowCount);
return '';
}
public String disableUser(Integer id) {
String hql = 'update UserEntity set active = :active where id = :id';
org.hibernate.Query query = sessionFactory.getCurrentSession().createQuery(hql);
query.setInteger('active',0);
query.setInteger('id',id);
int rowCount = query.executeUpdate();
System.out.println('Rows affected: ' + rowCount);
return '';
}
public void updateUser(UserEntity user) {
try {
sessionFactory.getCurrentSession().update(user);
} catch (Exception e) {
System.out.println(e);
}
}
public List listUser() {
return sessionFactory.getCurrentSession().createQuery('from UserEntity')
.list();
}
public void removeUser(Integer id) {
UserEntity user = (UserEntity) sessionFactory.getCurrentSession().load(
UserEntity.class, id);
if (null != user) {
sessionFactory.getCurrentSession().delete(user);
}
}
public Set getSecurityRolesForUsername(String username) {
UserEntity user = (UserEntity) sessionFactory.getCurrentSession().createQuery(
'select u from UserEntity u where u.username = '' + username + ''').uniqueResult();
if (user!= null) {
Set roles = (Set) user.getSecurityRoleCollection();
if (roles != null && roles.size() > 0) {
return roles;
}
}
return null;
}
}package org.intan.pedigree.dao;
import java.util.List;
import org.hibernate.Criteria;
import org.hibernate.SessionFactory;
import org.hibernate.criterion.Restrictions;
import org.intan.pedigree.form.Country;
import org.intan.pedigree.form.Kennel;
import org.intan.pedigree.form.SecurityRoleEntity;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Repository;
@Repository
public class SecurityRoleEntityDAOImpl implements SecurityRoleEntityDAO{
@Autowired
private SessionFactory sessionFactory;
public void addSecurityRoleEntity(SecurityRoleEntity securityRoleEntity) {
try {
sessionFactory.getCurrentSession().save(securityRoleEntity);
} catch (Exception e) {
System.out.println(e);
}
}
public List listSecurityRoleEntity() {
Criteria criteria = sessionFactory.getCurrentSession().createCriteria(SecurityRoleEntity.class);
criteria.add(Restrictions.ne('name','ROLE_ADMIN' ));
return criteria.list();
}
public SecurityRoleEntity getSecurityRoleEntityById(Integer id) {
Criteria criteria = sessionFactory.getCurrentSession().createCriteria(SecurityRoleEntity.class);
criteria.add(Restrictions.eq('id',id));
return (SecurityRoleEntity) criteria.uniqueResult();
}
public void removeSecurityRoleEntity(Integer id) {
SecurityRoleEntity securityRoleEntity = (SecurityRoleEntity) sessionFactory.getCurrentSession().load(
SecurityRoleEntity.class, id);
if (null != securityRoleEntity) {
sessionFactory.getCurrentSession().delete(securityRoleEntity);
}
}
}Now we will create the service layer for the above DAO’s.
package org.intan.pedigree.service;
import java.util.List;
import org.intan.pedigree.dao.SecurityRoleEntityDAO;
import org.intan.pedigree.form.SecurityRoleEntity;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
@Service
public class SecurityRoleEntityServiceImpl implements SecurityRoleEntityService{
@Autowired
private SecurityRoleEntityDAO securityRoleEntityDAO;
@Transactional
public void addSecurityRoleEntity(SecurityRoleEntity securityRoleEntity) {
securityRoleEntityDAO.addSecurityRoleEntity(securityRoleEntity);
}
@Transactional
public List listSecurityRoleEntity() {
return securityRoleEntityDAO.listSecurityRoleEntity();
}
@Transactional
public void removeSecurityRoleEntity(Integer id) {
securityRoleEntityDAO.removeSecurityRoleEntity(id);
}
@Transactional
public SecurityRoleEntity getSecurityRoleEntityById(Integer id) {
return securityRoleEntityDAO.getSecurityRoleEntityById( id);
}
}
In the Service layer of UserDetails below, pay attention that it implements UserDetailsService from org.springframework.security.core.userdetails.UserDetailsService.
package org.intan.pedigree.service;
import org.intan.pedigree.dao.UserEntityDAO;
import org.intan.pedigree.dao.UserEntityDAO;
import org.intan.pedigree.form.UserEntity;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.DataAccessException;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
@Service('userDetailsService')
public class UserDetailsServiceImpl implements UserDetailsService {
@Autowired
private UserEntityDAO dao;
@Autowired
private Assembler assembler;
@Transactional(readOnly = true)
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
UserDetails userDetails = null;
UserEntity userEntity = dao.findByName(username);
if (userEntity == null)
throw new UsernameNotFoundException('user not found');
return assembler.buildUserFromUserEntity(userEntity);
}
}You also see above, that the loadUserByUsername methods return the result of the assembler.buildUserFromUserEntity . Simply put, what this method of the assembler does is to to construct a org.springframework.security.core.userdetails.User object from the given UserEntity DTO. The code of the Assembler class is given below:
package org.intan.pedigree.service;
import java.util.ArrayList;
import java.util.Collection;
import org.intan.pedigree.form.SecurityRoleEntity;
import org.intan.pedigree.form.UserEntity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.User;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
@Service('assembler')
public class Assembler {
@Transactional(readOnly = true)
User buildUserFromUserEntity(UserEntity userEntity) {
String username = userEntity.getUsername();
String password = userEntity.getPassword();
boolean enabled = userEntity.getActive();
boolean accountNonExpired = userEntity.getActive();
boolean credentialsNonExpired = userEntity.getActive();
boolean accountNonLocked = userEntity.getActive();
Collection authorities = new ArrayList();
for (SecurityRoleEntity role : userEntity.getSecurityRoleCollection()) {
authorities.add(new GrantedAuthorityImpl(role.getName()));
}
User user = new User(username, password, enabled,
accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
return user;
}
}The only thing that remain to be done now is to define what is necessary in the applicationContext-Security.xml. For this create a new xml file called “applicationContext-Security.xml” with the following contents:
<?xml version='1.0' encoding='UTF-8'?>
<beans:beans xmlns='http://www.springframework.org/schema/security'
xmlns:beans='http://www.springframework.org/schema/beans'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns:context='http://www.springframework.org/schema/context'
xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd'>
<beans:bean id='userDetailsService' class='org.intan.pedigree.service.UserDetailsServiceImpl'></beans:bean>
<context:component-scan base-package='org.intan.pedigree' />
<http auto-config='true'>
<intercept-url pattern='/admin/**' access='ROLE_ADMIN' />
<intercept-url pattern='/user/**' access='ROLE_REGISTERED_USER' />
<intercept-url pattern='/kennel/**' access='ROLE_KENNEL_OWNER' />
<!-- <security:intercept-url pattern='/login.jsp' access='IS_AUTHENTICATED_ANONYMOUSLY' /> -->
</http>
<beans:bean id='daoAuthenticationProvider'
class='org.springframework.security.authentication.dao.DaoAuthenticationProvider'>
<beans:property name='userDetailsService' ref='userDetailsService' />
</beans:bean>
<beans:bean id='authenticationManager'
class='org.springframework.security.authentication.ProviderManager'>
<beans:property name='providers'>
<beans:list>
<beans:ref local='daoAuthenticationProvider' />
</beans:list>
</beans:property>
</beans:bean>
<authentication-manager>
<authentication-provider user-service-ref='userDetailsService'>
<password-encoder hash='plaintext' />
</authentication-provider>
</authentication-manager>
</beans:beans>
In your web.xml put the following code in order to load the applicationContext-security.xml file.
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-hibernate.xml
/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>Last of all, excuse any typing mistakes etc, as this code is just copy and paste from personal work that I have done, if something does not work please post the question and I will be more than happy to assist you.
Reference: Spring 3, Spring Security Implementing Custom UserDetails with Hibernate from our JCG partner Ioannis Dadis at the Giannisapi blog.
can you please send me the whole code for this application in executable mode as i am newbie for spring security.
thanks in advance
I code project like this,but concurrency-control can’t be work ? can you ?
Thanks and all but this code is terrible to read. The indentation is wrong and there are too many useless empty lines..
Hello… I want to know that why (@Transactional) is required on loadByUserName().
If I skip that would it create any problem?