Spring Security Implementing Custom UserDetails with Hibernate

Most of the time, we will want to configure our own security access roles in web applications. This is easily achieved in Spring Security. In this article we will see the most simple way to do this.

First of all we will need the following tables in the database:

CREATE TABLE IF NOT EXISTS `mydb`.`security_role` (

`id` INT(11) NOT NULL AUTO_INCREMENT ,

`name` VARCHAR(50) NULL DEFAULT NULL ,

PRIMARY KEY (`id`) )

ENGINE = InnoDB

AUTO_INCREMENT = 4

DEFAULT CHARACTER SET = latin1;

CREATE TABLE IF NOT EXISTS `mydb`.`user` (

`id` INT(11) NOT NULL AUTO_INCREMENT ,

`first_name` VARCHAR(45) NULL DEFAULT NULL ,

`family_name` VARCHAR(45) NULL DEFAULT NULL ,

`dob` DATE NULL DEFAULT NULL ,

`password` VARCHAR(45) NOT NULL ,

`username` VARCHAR(45) NOT NULL ,

`confirm_password` VARCHAR(45) NOT NULL ,

`active` TINYINT(1) NOT NULL ,

PRIMARY KEY (`id`) ,

UNIQUE INDEX `username` (`username` ASC) )

ENGINE = InnoDB

AUTO_INCREMENT = 9

DEFAULT CHARACTER SET = latin1;

CREATE TABLE IF NOT EXISTS `mydb`.`user_security_role` (

`user_id` INT(11) NOT NULL ,

`security_role_id` INT(11) NOT NULL ,

PRIMARY KEY (`user_id`, `security_role_id`) ,

INDEX `security_role_id` (`security_role_id` ASC) ,

CONSTRAINT `user_security_role_ibfk_1`

FOREIGN KEY (`user_id` )

REFERENCES `mydb`.`user` (`id` ),

CONSTRAINT `user_security_role_ibfk_2`

FOREIGN KEY (`security_role_id` )

REFERENCES `mydb`.`security_role` (`id` ))

ENGINE = InnoDB

DEFAULT CHARACTER SET = latin1;

Obviously, the table user will hold users, table security_role will hold security roles and user_security_roles will hold the association. In order for the implementation to be as simple as possible, entries inside the security_role table should always start with “ROLE_”, otherwise we will need to encapsulate (this will NOT be covered in this article).

So we execute the following statements:

insert into security_role(name) values ('ROLE_admin');

insert into security_role(name) values ('ROLE_Kennel_Owner');

insert into security_role(name) values ('ROLE_User');

insert into user (first_name,family_name,password,username,confirm_password,active)

values ('ioannis','ntantis','123456','giannisapi','123456',1);

insert into user_security_role (user_id,security_role_id) values (1,1);

So after those commands we have the following:

Three different security roles

One user with username “giannisapi”

We have give the role “ROLE_admin” to user “giannisapi”

Now that everything is completed on the database side, we will move to the java side to see what needs to be done.

First we will create the necessary DTO (there are various tools that will automatically generate DTO’s from the database for you):

package org.intan.pedigree.form;

import java.io.Serializable;

import java.util.Collection;

import java.util.Date;

import java.util.Set;

import javax.persistence.Basic;

import javax.persistence.Column;

import javax.persistence.Entity;

import javax.persistence.GeneratedValue;

import javax.persistence.GenerationType;

import javax.persistence.Id;

import javax.persistence.JoinColumn;

import javax.persistence.JoinTable;

import javax.persistence.ManyToMany;

import javax.persistence.NamedQueries;

import javax.persistence.NamedQuery;

import javax.persistence.Table;

import javax.persistence.Temporal;

import javax.persistence.TemporalType;

/**

*

* @author intan

*/

@Entity

@Table(name = 'user', catalog = 'mydb', schema = '')

@NamedQueries({

@NamedQuery(name = 'UserEntity.findAll', query = 'SELECT u FROM UserEntity u'),

@NamedQuery(name = 'UserEntity.findById', query = 'SELECT u FROM UserEntity u WHERE u.id = :id'),

@NamedQuery(name = 'UserEntity.findByFirstName', query = 'SELECT u FROM UserEntity u WHERE u.firstName = :firstName'),

@NamedQuery(name = 'UserEntity.findByFamilyName', query = 'SELECT u FROM UserEntity u WHERE u.familyName = :familyName'),

@NamedQuery(name = 'UserEntity.findByDob', query = 'SELECT u FROM UserEntity u WHERE u.dob = :dob'),

@NamedQuery(name = 'UserEntity.findByPassword', query = 'SELECT u FROM UserEntity u WHERE u.password = :password'),

@NamedQuery(name = 'UserEntity.findByUsername', query = 'SELECT u FROM UserEntity u WHERE u.username = :username'),

@NamedQuery(name = 'UserEntity.findByConfirmPassword', query = 'SELECT u FROM UserEntity u WHERE u.confirmPassword = :confirmPassword'),

@NamedQuery(name = 'UserEntity.findByActive', query = 'SELECT u FROM UserEntity u WHERE u.active = :active')})

public class UserEntity implements Serializable {

private static final long serialVersionUID = 1L;

@Id

@GeneratedValue(strategy = GenerationType.IDENTITY)

@Basic(optional = false)

@Column(name = 'id')

private Integer id;

@Column(name = 'first_name')

private String firstName;

@Column(name = 'family_name')

private String familyName;

@Column(name = 'dob')

@Temporal(TemporalType.DATE)

private Date dob;

@Basic(optional = false)

@Column(name = 'password')

private String password;

@Basic(optional = false)

@Column(name = 'username')

private String username;

@Basic(optional = false)

@Column(name = 'confirm_password')

private String confirmPassword;

@Basic(optional = false)

@Column(name = 'active')

private boolean active;

@JoinTable(name = 'user_security_role', joinColumns = {

@JoinColumn(name = 'user_id', referencedColumnName = 'id')}, inverseJoinColumns = {

@JoinColumn(name = 'security_role_id', referencedColumnName = 'id')})

@ManyToMany

private Set securityRoleCollection;

public UserEntity() {

}

public UserEntity(Integer id) {

this.id = id;

}

public UserEntity(Integer id, String password, String username, String confirmPassword, boolean active) {

this.id = id;

this.password = password;

this.username = username;

this.confirmPassword = confirmPassword;

this.active = active;

}

public Integer getId() {

return id;

}

public void setId(Integer id) {

this.id = id;

}

public String getFirstName() {

return firstName;

}

public void setFirstName(String firstName) {

this.firstName = firstName;

}

public String getFamilyName() {

return familyName;

}

public void setFamilyName(String familyName) {

this.familyName = familyName;

}

public Date getDob() {

return dob;

}

public void setDob(Date dob) {

this.dob = dob;

}

public String getPassword() {

return password;

}

public void setPassword(String password) {

this.password = password;

}

public String getUsername() {

return username;

}

public void setUsername(String username) {

this.username = username;

}

public String getConfirmPassword() {

return confirmPassword;

}

public void setConfirmPassword(String confirmPassword) {

this.confirmPassword = confirmPassword;

}

public boolean getActive() {

return active;

}

public void setActive(boolean active) {

this.active = active;

}

public Set getSecurityRoleCollection() {

return securityRoleCollection;

}

public void setSecurityRoleCollection(Set securityRoleCollection) {

this.securityRoleCollection = securityRoleCollection;

}

@Override

public int hashCode() {

int hash = 0;

hash += (id != null ? id.hashCode() : 0);

return hash;

}

@Override

public boolean equals(Object object) {

// TODO: Warning - this method won't work in the case the id fields are not set

if (!(object instanceof UserEntity)) {

return false;

}

UserEntity other = (UserEntity) object;

if ((this.id == null && other.id != null) || (this.id != null && !this.id.equals(other.id))) {

return false;

}

return true;

}

@Override

public String toString() {

return 'org.intan.pedigree.form.User[id=' + id + ']';

}

}
package org.intan.pedigree.form;

import java.io.Serializable;

import java.util.Collection;

import javax.persistence.Basic;

import javax.persistence.Column;

import javax.persistence.Entity;

import javax.persistence.GeneratedValue;

import javax.persistence.GenerationType;

import javax.persistence.Id;

import javax.persistence.ManyToMany;

import javax.persistence.NamedQueries;

import javax.persistence.NamedQuery;

import javax.persistence.Table;

/**

*

* @author intan

*/

@Entity

@Table(name = 'security_role', catalog = 'mydb', schema = '')

@NamedQueries({

@NamedQuery(name = 'SecurityRoleEntity.findAll', query = 'SELECT s FROM SecurityRoleEntity s'),

@NamedQuery(name = 'SecurityRoleEntity.findById', query = 'SELECT s FROM SecurityRoleEntity s WHERE s.id = :id'),

@NamedQuery(name = 'SecurityRoleEntity.findByName', query = 'SELECT s FROM SecurityRoleEntity s WHERE s.name = :name')})

public class SecurityRoleEntity implements Serializable {

private static final long serialVersionUID = 1L;

@Id

@GeneratedValue(strategy = GenerationType.IDENTITY)

@Basic(optional = false)

@Column(name = 'id')

private Integer id;

@Column(name = 'name')

private String name;

@ManyToMany(mappedBy = 'securityRoleCollection')

private Collection userCollection;

public SecurityRoleEntity() {

}

public SecurityRoleEntity(Integer id) {

this.id = id;

}

public Integer getId() {

return id;

}

public void setId(Integer id) {

this.id = id;

}

public String getName() {

return name;

}

public void setName(String name) {

this.name = name;

}

public Collection getUserCollection() {

return userCollection;

}

public void setUserCollection(Collection userCollection) {

this.userCollection = userCollection;

}

@Override

public int hashCode() {

int hash = 0;

hash += (id != null ? id.hashCode() : 0);

return hash;

}

@Override

public boolean equals(Object object) {

// TODO: Warning - this method won't work in the case the id fields are not set

if (!(object instanceof SecurityRoleEntity)) {

return false;

}

SecurityRoleEntity other = (SecurityRoleEntity) object;

if ((this.id == null && other.id != null) || (this.id != null && !this.id.equals(other.id))) {

return false;

}

return true;

}

@Override

public String toString() {

return 'org.intan.pedigree.form.SecurityRole[id=' + id + ']';

}

}

Now that we have out DTO lets created the necessary DAO classes:

package org.intan.pedigree.dao;

import java.util.List;

import java.util.Set;

import org.hibernate.SessionFactory;

import org.intan.pedigree.form.SecurityRoleEntity;

import org.intan.pedigree.form.UserEntity;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.stereotype.Repository;

@Repository

public class UserEntityDAOImpl implements UserEntityDAO{

@Autowired

private SessionFactory sessionFactory;

public void addUser(UserEntity user) {

try {

sessionFactory.getCurrentSession().save(user);

} catch (Exception e) {

System.out.println(e);

}

}

public UserEntity findByName(String username) {

UserEntity user = (UserEntity) sessionFactory.getCurrentSession().createQuery(

'select u from UserEntity u where u.username = '' + username + ''').uniqueResult();

return user;

}

public UserEntity getUserByID(Integer id) {

UserEntity user = (UserEntity) sessionFactory.getCurrentSession().createQuery(

'select u from UserEntity u where id = '' + id + ''').uniqueResult();

return user;

}

public String activateUser(Integer id) {

String hql = 'update UserEntityset active = :active where id = :id';

org.hibernate.Query query = sessionFactory.getCurrentSession().createQuery(hql);

query.setString('active','Y');

query.setInteger('id',id);

int rowCount = query.executeUpdate();

System.out.println('Rows affected: ' + rowCount);

return '';

}

public String disableUser(Integer id) {

String hql = 'update UserEntity set active = :active where id = :id';

org.hibernate.Query query = sessionFactory.getCurrentSession().createQuery(hql);

query.setInteger('active',0);

query.setInteger('id',id);

int rowCount = query.executeUpdate();

System.out.println('Rows affected: ' + rowCount);

return '';

}

public void updateUser(UserEntity user) {

try {

sessionFactory.getCurrentSession().update(user);

} catch (Exception e) {

System.out.println(e);

}

}

public List listUser() {

return sessionFactory.getCurrentSession().createQuery('from UserEntity')

.list();

}

public void removeUser(Integer id) {

UserEntity user = (UserEntity) sessionFactory.getCurrentSession().load(

UserEntity.class, id);

if (null != user) {

sessionFactory.getCurrentSession().delete(user);

}

}

public Set getSecurityRolesForUsername(String username) {

UserEntity user = (UserEntity) sessionFactory.getCurrentSession().createQuery(

'select u from UserEntity u where u.username = '' + username + ''').uniqueResult();

if (user!= null) {

Set roles = (Set) user.getSecurityRoleCollection();

if (roles != null && roles.size() > 0) {

return roles;

}

}

return null;

}

}
package org.intan.pedigree.dao;

import java.util.List;

import org.hibernate.Criteria;

import org.hibernate.SessionFactory;

import org.hibernate.criterion.Restrictions;

import org.intan.pedigree.form.Country;

import org.intan.pedigree.form.Kennel;

import org.intan.pedigree.form.SecurityRoleEntity;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.stereotype.Repository;

@Repository

public class SecurityRoleEntityDAOImpl implements SecurityRoleEntityDAO{

@Autowired

private SessionFactory sessionFactory;

public void addSecurityRoleEntity(SecurityRoleEntity securityRoleEntity) {

try {

sessionFactory.getCurrentSession().save(securityRoleEntity);

} catch (Exception e) {

System.out.println(e);

}

}

public List listSecurityRoleEntity() {

Criteria criteria = sessionFactory.getCurrentSession().createCriteria(SecurityRoleEntity.class);

criteria.add(Restrictions.ne('name','ROLE_ADMIN' ));

return criteria.list();

}

public SecurityRoleEntity getSecurityRoleEntityById(Integer id) {

Criteria criteria = sessionFactory.getCurrentSession().createCriteria(SecurityRoleEntity.class);

criteria.add(Restrictions.eq('id',id));

return (SecurityRoleEntity) criteria.uniqueResult();

}

public void removeSecurityRoleEntity(Integer id) {

SecurityRoleEntity securityRoleEntity = (SecurityRoleEntity) sessionFactory.getCurrentSession().load(

SecurityRoleEntity.class, id);

if (null != securityRoleEntity) {

sessionFactory.getCurrentSession().delete(securityRoleEntity);

}

}

}

Now we will create the service layer for the above DAO’s.

package org.intan.pedigree.service;

import java.util.List;

import org.intan.pedigree.dao.SecurityRoleEntityDAO;

import org.intan.pedigree.form.SecurityRoleEntity;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.stereotype.Service;

import org.springframework.transaction.annotation.Transactional;

@Service

public class SecurityRoleEntityServiceImpl implements SecurityRoleEntityService{

@Autowired

private SecurityRoleEntityDAO securityRoleEntityDAO;

@Transactional

public void addSecurityRoleEntity(SecurityRoleEntity securityRoleEntity) {

securityRoleEntityDAO.addSecurityRoleEntity(securityRoleEntity);

}

@Transactional

public List listSecurityRoleEntity() {

return securityRoleEntityDAO.listSecurityRoleEntity();

}

@Transactional

public void removeSecurityRoleEntity(Integer id) {

securityRoleEntityDAO.removeSecurityRoleEntity(id);

}

@Transactional

public SecurityRoleEntity getSecurityRoleEntityById(Integer id) {

return securityRoleEntityDAO.getSecurityRoleEntityById( id);

}

}

In the Service layer of UserDetails below, pay attention that it implements UserDetailsService from org.springframework.security.core.userdetails.UserDetailsService.

package org.intan.pedigree.service;

import org.intan.pedigree.dao.UserEntityDAO;

import org.intan.pedigree.dao.UserEntityDAO;

import org.intan.pedigree.form.UserEntity;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.dao.DataAccessException;

import org.springframework.stereotype.Service;

import org.springframework.transaction.annotation.Transactional;

import org.springframework.security.core.userdetails.User;

import org.springframework.security.core.userdetails.UserDetails;

import org.springframework.security.core.userdetails.UserDetailsService;

import org.springframework.security.core.userdetails.UsernameNotFoundException;

@Service('userDetailsService')

public class UserDetailsServiceImpl implements UserDetailsService {

@Autowired

private UserEntityDAO dao;

@Autowired

private Assembler assembler;

@Transactional(readOnly = true)

public UserDetails loadUserByUsername(String username)

throws UsernameNotFoundException, DataAccessException {

UserDetails userDetails = null;

UserEntity userEntity = dao.findByName(username);

if (userEntity == null)

throw new UsernameNotFoundException('user not found');

return assembler.buildUserFromUserEntity(userEntity);

}

}

You also see above, that the loadUserByUsername methods return the result of the assembler.buildUserFromUserEntity . Simply put, what this method of the assembler does is to to construct a org.springframework.security.core.userdetails.User object from the given UserEntity DTO. The code of the Assembler class is given below:

package org.intan.pedigree.service;

import java.util.ArrayList;

import java.util.Collection;

import org.intan.pedigree.form.SecurityRoleEntity;

import org.intan.pedigree.form.UserEntity;

import org.springframework.security.core.GrantedAuthority;

import org.springframework.security.core.authority.GrantedAuthorityImpl;

import org.springframework.security.core.userdetails.User;

import org.springframework.stereotype.Service;

import org.springframework.transaction.annotation.Transactional;

@Service('assembler')

public class Assembler {

@Transactional(readOnly = true)

User buildUserFromUserEntity(UserEntity userEntity) {

String username = userEntity.getUsername();

String password = userEntity.getPassword();

boolean enabled = userEntity.getActive();

boolean accountNonExpired = userEntity.getActive();

boolean credentialsNonExpired = userEntity.getActive();

boolean accountNonLocked = userEntity.getActive();

Collection authorities = new ArrayList();

for (SecurityRoleEntity role : userEntity.getSecurityRoleCollection()) {

authorities.add(new GrantedAuthorityImpl(role.getName()));

}

User user = new User(username, password, enabled,

accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);

return user;

}

}

The only thing that remain to be done now is to define what is necessary in the applicationContext-Security.xml. For this create a new xml file called “applicationContext-Security.xml” with the following contents:

<?xml version='1.0' encoding='UTF-8'?>
<beans:beans xmlns='http://www.springframework.org/schema/security'
 xmlns:beans='http://www.springframework.org/schema/beans' 
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
  xmlns:context='http://www.springframework.org/schema/context'
 xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
      http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd'>
 
 
 
 
 <beans:bean id='userDetailsService' class='org.intan.pedigree.service.UserDetailsServiceImpl'></beans:bean>
 <context:component-scan base-package='org.intan.pedigree' />
 
 <http auto-config='true'>
  <intercept-url pattern='/admin/**' access='ROLE_ADMIN' />
  <intercept-url pattern='/user/**' access='ROLE_REGISTERED_USER' />
  <intercept-url pattern='/kennel/**' access='ROLE_KENNEL_OWNER' />
  <!-- <security:intercept-url pattern='/login.jsp' access='IS_AUTHENTICATED_ANONYMOUSLY' />  -->
 </http>

  <beans:bean id='daoAuthenticationProvider'
  class='org.springframework.security.authentication.dao.DaoAuthenticationProvider'>
  <beans:property name='userDetailsService' ref='userDetailsService' />
 </beans:bean>

 <beans:bean id='authenticationManager'
  class='org.springframework.security.authentication.ProviderManager'>
  <beans:property name='providers'>
   <beans:list>
    <beans:ref local='daoAuthenticationProvider' />
   </beans:list>
  </beans:property>
 </beans:bean>

 <authentication-manager>
  <authentication-provider user-service-ref='userDetailsService'>
   <password-encoder hash='plaintext' />
  </authentication-provider>
 </authentication-manager>


</beans:beans>

In your web.xml put the following code in order to load the applicationContext-security.xml file.

 <context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>/WEB-INF/applicationContext-hibernate.xml
      /WEB-INF/applicationContext-security.xml
  </param-value>
 </context-param>

Last of all, excuse any typing mistakes etc, as this code is just copy and paste from personal work that I have done, if something does not work please post the question and I will be more than happy to assist you.

Reference: Spring 3, Spring Security Implementing Custom UserDetails with Hibernate from our JCG partner Ioannis Dadis at the Giannisapi blog.

Related Whitepaper:

Functional Programming in Java: Harnessing the Power of Java 8 Lambda Expressions

Get ready to program in a whole new way!

Functional Programming in Java will help you quickly get on top of the new, essential Java 8 language features and the functional style that will change and improve your code. This short, targeted book will help you make the paradigm shift from the old imperative way to a less error-prone, more elegant, and concise coding style that’s also a breeze to parallelize. You’ll explore the syntax and semantics of lambda expressions, method and constructor references, and functional interfaces. You’ll design and write applications better using the new standards in Java 8 and the JDK.

Get it Now!  

Leave a Reply


5 × five =



Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.

Sign up for our Newsletter

15,153 insiders are already enjoying weekly updates and complimentary whitepapers! Join them now to gain exclusive access to the latest news in the Java world, as well as insights about Android, Scala, Groovy and other related technologies.

As an extra bonus, by joining you will get our brand new e-books, published by Java Code Geeks and their JCG partners for your reading pleasure! Enter your info and stay on top of things,

  • Fresh trends
  • Cases and examples
  • Research and insights
  • Two complimentary e-books
Get tutored by the Geeks! JCG Academy is a fact... Join Now
Hello. Add your message here.