Enterprise Java

Spring Security Implementing Custom UserDetails with Hibernate

Most of the time, we will want to configure our own security access roles in web applications. This is easily achieved in Spring Security. In this article we will see the most simple way to do this.

First of all we will need the following tables in the database:

CREATE TABLE IF NOT EXISTS `mydb`.`security_role` (

`id` INT(11) NOT NULL AUTO_INCREMENT ,

`name` VARCHAR(50) NULL DEFAULT NULL ,

PRIMARY KEY (`id`) )

ENGINE = InnoDB

AUTO_INCREMENT = 4

DEFAULT CHARACTER SET = latin1;

CREATE TABLE IF NOT EXISTS `mydb`.`user` (

`id` INT(11) NOT NULL AUTO_INCREMENT ,

`first_name` VARCHAR(45) NULL DEFAULT NULL ,

`family_name` VARCHAR(45) NULL DEFAULT NULL ,

`dob` DATE NULL DEFAULT NULL ,

`password` VARCHAR(45) NOT NULL ,

`username` VARCHAR(45) NOT NULL ,

`confirm_password` VARCHAR(45) NOT NULL ,

`active` TINYINT(1) NOT NULL ,

PRIMARY KEY (`id`) ,

UNIQUE INDEX `username` (`username` ASC) )

ENGINE = InnoDB

AUTO_INCREMENT = 9

DEFAULT CHARACTER SET = latin1;

CREATE TABLE IF NOT EXISTS `mydb`.`user_security_role` (

`user_id` INT(11) NOT NULL ,

`security_role_id` INT(11) NOT NULL ,

PRIMARY KEY (`user_id`, `security_role_id`) ,

INDEX `security_role_id` (`security_role_id` ASC) ,

CONSTRAINT `user_security_role_ibfk_1`

FOREIGN KEY (`user_id` )

REFERENCES `mydb`.`user` (`id` ),

CONSTRAINT `user_security_role_ibfk_2`

FOREIGN KEY (`security_role_id` )

REFERENCES `mydb`.`security_role` (`id` ))

ENGINE = InnoDB

DEFAULT CHARACTER SET = latin1;

Obviously, the table user will hold users, table security_role will hold security roles and user_security_roles will hold the association. In order for the implementation to be as simple as possible, entries inside the security_role table should always start with “ROLE_”, otherwise we will need to encapsulate (this will NOT be covered in this article).

So we execute the following statements:

insert into security_role(name) values ('ROLE_admin');

insert into security_role(name) values ('ROLE_Kennel_Owner');

insert into security_role(name) values ('ROLE_User');

insert into user (first_name,family_name,password,username,confirm_password,active)

values ('ioannis','ntantis','123456','giannisapi','123456',1);

insert into user_security_role (user_id,security_role_id) values (1,1);

So after those commands we have the following:

Three different security roles

One user with username “giannisapi”

We have give the role “ROLE_admin” to user “giannisapi”

Now that everything is completed on the database side, we will move to the java side to see what needs to be done.

First we will create the necessary DTO (there are various tools that will automatically generate DTO’s from the database for you):

package org.intan.pedigree.form;

import java.io.Serializable;

import java.util.Collection;

import java.util.Date;

import java.util.Set;

import javax.persistence.Basic;

import javax.persistence.Column;

import javax.persistence.Entity;

import javax.persistence.GeneratedValue;

import javax.persistence.GenerationType;

import javax.persistence.Id;

import javax.persistence.JoinColumn;

import javax.persistence.JoinTable;

import javax.persistence.ManyToMany;

import javax.persistence.NamedQueries;

import javax.persistence.NamedQuery;

import javax.persistence.Table;

import javax.persistence.Temporal;

import javax.persistence.TemporalType;

/**

*

* @author intan

*/

@Entity

@Table(name = 'user', catalog = 'mydb', schema = '')

@NamedQueries({

@NamedQuery(name = 'UserEntity.findAll', query = 'SELECT u FROM UserEntity u'),

@NamedQuery(name = 'UserEntity.findById', query = 'SELECT u FROM UserEntity u WHERE u.id = :id'),

@NamedQuery(name = 'UserEntity.findByFirstName', query = 'SELECT u FROM UserEntity u WHERE u.firstName = :firstName'),

@NamedQuery(name = 'UserEntity.findByFamilyName', query = 'SELECT u FROM UserEntity u WHERE u.familyName = :familyName'),

@NamedQuery(name = 'UserEntity.findByDob', query = 'SELECT u FROM UserEntity u WHERE u.dob = :dob'),

@NamedQuery(name = 'UserEntity.findByPassword', query = 'SELECT u FROM UserEntity u WHERE u.password = :password'),

@NamedQuery(name = 'UserEntity.findByUsername', query = 'SELECT u FROM UserEntity u WHERE u.username = :username'),

@NamedQuery(name = 'UserEntity.findByConfirmPassword', query = 'SELECT u FROM UserEntity u WHERE u.confirmPassword = :confirmPassword'),

@NamedQuery(name = 'UserEntity.findByActive', query = 'SELECT u FROM UserEntity u WHERE u.active = :active')})

public class UserEntity implements Serializable {

private static final long serialVersionUID = 1L;

@Id

@GeneratedValue(strategy = GenerationType.IDENTITY)

@Basic(optional = false)

@Column(name = 'id')

private Integer id;

@Column(name = 'first_name')

private String firstName;

@Column(name = 'family_name')

private String familyName;

@Column(name = 'dob')

@Temporal(TemporalType.DATE)

private Date dob;

@Basic(optional = false)

@Column(name = 'password')

private String password;

@Basic(optional = false)

@Column(name = 'username')

private String username;

@Basic(optional = false)

@Column(name = 'confirm_password')

private String confirmPassword;

@Basic(optional = false)

@Column(name = 'active')

private boolean active;

@JoinTable(name = 'user_security_role', joinColumns = {

@JoinColumn(name = 'user_id', referencedColumnName = 'id')}, inverseJoinColumns = {

@JoinColumn(name = 'security_role_id', referencedColumnName = 'id')})

@ManyToMany

private Set securityRoleCollection;

public UserEntity() {

}

public UserEntity(Integer id) {

this.id = id;

}

public UserEntity(Integer id, String password, String username, String confirmPassword, boolean active) {

this.id = id;

this.password = password;

this.username = username;

this.confirmPassword = confirmPassword;

this.active = active;

}

public Integer getId() {

return id;

}

public void setId(Integer id) {

this.id = id;

}

public String getFirstName() {

return firstName;

}

public void setFirstName(String firstName) {

this.firstName = firstName;

}

public String getFamilyName() {

return familyName;

}

public void setFamilyName(String familyName) {

this.familyName = familyName;

}

public Date getDob() {

return dob;

}

public void setDob(Date dob) {

this.dob = dob;

}

public String getPassword() {

return password;

}

public void setPassword(String password) {

this.password = password;

}

public String getUsername() {

return username;

}

public void setUsername(String username) {

this.username = username;

}

public String getConfirmPassword() {

return confirmPassword;

}

public void setConfirmPassword(String confirmPassword) {

this.confirmPassword = confirmPassword;

}

public boolean getActive() {

return active;

}

public void setActive(boolean active) {

this.active = active;

}

public Set getSecurityRoleCollection() {

return securityRoleCollection;

}

public void setSecurityRoleCollection(Set securityRoleCollection) {

this.securityRoleCollection = securityRoleCollection;

}

@Override

public int hashCode() {

int hash = 0;

hash += (id != null ? id.hashCode() : 0);

return hash;

}

@Override

public boolean equals(Object object) {

// TODO: Warning - this method won't work in the case the id fields are not set

if (!(object instanceof UserEntity)) {

return false;

}

UserEntity other = (UserEntity) object;

if ((this.id == null && other.id != null) || (this.id != null && !this.id.equals(other.id))) {

return false;

}

return true;

}

@Override

public String toString() {

return 'org.intan.pedigree.form.User[id=' + id + ']';

}

}
package org.intan.pedigree.form;

import java.io.Serializable;

import java.util.Collection;

import javax.persistence.Basic;

import javax.persistence.Column;

import javax.persistence.Entity;

import javax.persistence.GeneratedValue;

import javax.persistence.GenerationType;

import javax.persistence.Id;

import javax.persistence.ManyToMany;

import javax.persistence.NamedQueries;

import javax.persistence.NamedQuery;

import javax.persistence.Table;

/**

*

* @author intan

*/

@Entity

@Table(name = 'security_role', catalog = 'mydb', schema = '')

@NamedQueries({

@NamedQuery(name = 'SecurityRoleEntity.findAll', query = 'SELECT s FROM SecurityRoleEntity s'),

@NamedQuery(name = 'SecurityRoleEntity.findById', query = 'SELECT s FROM SecurityRoleEntity s WHERE s.id = :id'),

@NamedQuery(name = 'SecurityRoleEntity.findByName', query = 'SELECT s FROM SecurityRoleEntity s WHERE s.name = :name')})

public class SecurityRoleEntity implements Serializable {

private static final long serialVersionUID = 1L;

@Id

@GeneratedValue(strategy = GenerationType.IDENTITY)

@Basic(optional = false)

@Column(name = 'id')

private Integer id;

@Column(name = 'name')

private String name;

@ManyToMany(mappedBy = 'securityRoleCollection')

private Collection userCollection;

public SecurityRoleEntity() {

}

public SecurityRoleEntity(Integer id) {

this.id = id;

}

public Integer getId() {

return id;

}

public void setId(Integer id) {

this.id = id;

}

public String getName() {

return name;

}

public void setName(String name) {

this.name = name;

}

public Collection getUserCollection() {

return userCollection;

}

public void setUserCollection(Collection userCollection) {

this.userCollection = userCollection;

}

@Override

public int hashCode() {

int hash = 0;

hash += (id != null ? id.hashCode() : 0);

return hash;

}

@Override

public boolean equals(Object object) {

// TODO: Warning - this method won't work in the case the id fields are not set

if (!(object instanceof SecurityRoleEntity)) {

return false;

}

SecurityRoleEntity other = (SecurityRoleEntity) object;

if ((this.id == null && other.id != null) || (this.id != null && !this.id.equals(other.id))) {

return false;

}

return true;

}

@Override

public String toString() {

return 'org.intan.pedigree.form.SecurityRole[id=' + id + ']';

}

}

Now that we have out DTO lets created the necessary DAO classes:

package org.intan.pedigree.dao;

import java.util.List;

import java.util.Set;

import org.hibernate.SessionFactory;

import org.intan.pedigree.form.SecurityRoleEntity;

import org.intan.pedigree.form.UserEntity;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.stereotype.Repository;

@Repository

public class UserEntityDAOImpl implements UserEntityDAO{

@Autowired

private SessionFactory sessionFactory;

public void addUser(UserEntity user) {

try {

sessionFactory.getCurrentSession().save(user);

} catch (Exception e) {

System.out.println(e);

}

}

public UserEntity findByName(String username) {

UserEntity user = (UserEntity) sessionFactory.getCurrentSession().createQuery(

'select u from UserEntity u where u.username = '' + username + ''').uniqueResult();

return user;

}

public UserEntity getUserByID(Integer id) {

UserEntity user = (UserEntity) sessionFactory.getCurrentSession().createQuery(

'select u from UserEntity u where id = '' + id + ''').uniqueResult();

return user;

}

public String activateUser(Integer id) {

String hql = 'update UserEntityset active = :active where id = :id';

org.hibernate.Query query = sessionFactory.getCurrentSession().createQuery(hql);

query.setString('active','Y');

query.setInteger('id',id);

int rowCount = query.executeUpdate();

System.out.println('Rows affected: ' + rowCount);

return '';

}

public String disableUser(Integer id) {

String hql = 'update UserEntity set active = :active where id = :id';

org.hibernate.Query query = sessionFactory.getCurrentSession().createQuery(hql);

query.setInteger('active',0);

query.setInteger('id',id);

int rowCount = query.executeUpdate();

System.out.println('Rows affected: ' + rowCount);

return '';

}

public void updateUser(UserEntity user) {

try {

sessionFactory.getCurrentSession().update(user);

} catch (Exception e) {

System.out.println(e);

}

}

public List listUser() {

return sessionFactory.getCurrentSession().createQuery('from UserEntity')

.list();

}

public void removeUser(Integer id) {

UserEntity user = (UserEntity) sessionFactory.getCurrentSession().load(

UserEntity.class, id);

if (null != user) {

sessionFactory.getCurrentSession().delete(user);

}

}

public Set getSecurityRolesForUsername(String username) {

UserEntity user = (UserEntity) sessionFactory.getCurrentSession().createQuery(

'select u from UserEntity u where u.username = '' + username + ''').uniqueResult();

if (user!= null) {

Set roles = (Set) user.getSecurityRoleCollection();

if (roles != null && roles.size() > 0) {

return roles;

}

}

return null;

}

}
package org.intan.pedigree.dao;

import java.util.List;

import org.hibernate.Criteria;

import org.hibernate.SessionFactory;

import org.hibernate.criterion.Restrictions;

import org.intan.pedigree.form.Country;

import org.intan.pedigree.form.Kennel;

import org.intan.pedigree.form.SecurityRoleEntity;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.stereotype.Repository;

@Repository

public class SecurityRoleEntityDAOImpl implements SecurityRoleEntityDAO{

@Autowired

private SessionFactory sessionFactory;

public void addSecurityRoleEntity(SecurityRoleEntity securityRoleEntity) {

try {

sessionFactory.getCurrentSession().save(securityRoleEntity);

} catch (Exception e) {

System.out.println(e);

}

}

public List listSecurityRoleEntity() {

Criteria criteria = sessionFactory.getCurrentSession().createCriteria(SecurityRoleEntity.class);

criteria.add(Restrictions.ne('name','ROLE_ADMIN' ));

return criteria.list();

}

public SecurityRoleEntity getSecurityRoleEntityById(Integer id) {

Criteria criteria = sessionFactory.getCurrentSession().createCriteria(SecurityRoleEntity.class);

criteria.add(Restrictions.eq('id',id));

return (SecurityRoleEntity) criteria.uniqueResult();

}

public void removeSecurityRoleEntity(Integer id) {

SecurityRoleEntity securityRoleEntity = (SecurityRoleEntity) sessionFactory.getCurrentSession().load(

SecurityRoleEntity.class, id);

if (null != securityRoleEntity) {

sessionFactory.getCurrentSession().delete(securityRoleEntity);

}

}

}

Now we will create the service layer for the above DAO’s.

package org.intan.pedigree.service;

import java.util.List;

import org.intan.pedigree.dao.SecurityRoleEntityDAO;

import org.intan.pedigree.form.SecurityRoleEntity;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.stereotype.Service;

import org.springframework.transaction.annotation.Transactional;

@Service

public class SecurityRoleEntityServiceImpl implements SecurityRoleEntityService{

@Autowired

private SecurityRoleEntityDAO securityRoleEntityDAO;

@Transactional

public void addSecurityRoleEntity(SecurityRoleEntity securityRoleEntity) {

securityRoleEntityDAO.addSecurityRoleEntity(securityRoleEntity);

}

@Transactional

public List listSecurityRoleEntity() {

return securityRoleEntityDAO.listSecurityRoleEntity();

}

@Transactional

public void removeSecurityRoleEntity(Integer id) {

securityRoleEntityDAO.removeSecurityRoleEntity(id);

}

@Transactional

public SecurityRoleEntity getSecurityRoleEntityById(Integer id) {

return securityRoleEntityDAO.getSecurityRoleEntityById( id);

}

}

In the Service layer of UserDetails below, pay attention that it implements UserDetailsService from org.springframework.security.core.userdetails.UserDetailsService.

package org.intan.pedigree.service;

import org.intan.pedigree.dao.UserEntityDAO;

import org.intan.pedigree.dao.UserEntityDAO;

import org.intan.pedigree.form.UserEntity;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.dao.DataAccessException;

import org.springframework.stereotype.Service;

import org.springframework.transaction.annotation.Transactional;

import org.springframework.security.core.userdetails.User;

import org.springframework.security.core.userdetails.UserDetails;

import org.springframework.security.core.userdetails.UserDetailsService;

import org.springframework.security.core.userdetails.UsernameNotFoundException;

@Service('userDetailsService')

public class UserDetailsServiceImpl implements UserDetailsService {

@Autowired

private UserEntityDAO dao;

@Autowired

private Assembler assembler;

@Transactional(readOnly = true)

public UserDetails loadUserByUsername(String username)

throws UsernameNotFoundException, DataAccessException {

UserDetails userDetails = null;

UserEntity userEntity = dao.findByName(username);

if (userEntity == null)

throw new UsernameNotFoundException('user not found');

return assembler.buildUserFromUserEntity(userEntity);

}

}

You also see above, that the loadUserByUsername methods return the result of the assembler.buildUserFromUserEntity . Simply put, what this method of the assembler does is to to construct a org.springframework.security.core.userdetails.User object from the given UserEntity DTO. The code of the Assembler class is given below:

package org.intan.pedigree.service;

import java.util.ArrayList;

import java.util.Collection;

import org.intan.pedigree.form.SecurityRoleEntity;

import org.intan.pedigree.form.UserEntity;

import org.springframework.security.core.GrantedAuthority;

import org.springframework.security.core.authority.GrantedAuthorityImpl;

import org.springframework.security.core.userdetails.User;

import org.springframework.stereotype.Service;

import org.springframework.transaction.annotation.Transactional;

@Service('assembler')

public class Assembler {

@Transactional(readOnly = true)

User buildUserFromUserEntity(UserEntity userEntity) {

String username = userEntity.getUsername();

String password = userEntity.getPassword();

boolean enabled = userEntity.getActive();

boolean accountNonExpired = userEntity.getActive();

boolean credentialsNonExpired = userEntity.getActive();

boolean accountNonLocked = userEntity.getActive();

Collection authorities = new ArrayList();

for (SecurityRoleEntity role : userEntity.getSecurityRoleCollection()) {

authorities.add(new GrantedAuthorityImpl(role.getName()));

}

User user = new User(username, password, enabled,

accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);

return user;

}

}

The only thing that remain to be done now is to define what is necessary in the applicationContext-Security.xml. For this create a new xml file called “applicationContext-Security.xml” with the following contents:

<?xml version='1.0' encoding='UTF-8'?>
<beans:beans xmlns='http://www.springframework.org/schema/security'
 xmlns:beans='http://www.springframework.org/schema/beans' 
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
  xmlns:context='http://www.springframework.org/schema/context'
 xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
      http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd'>
 
 
 
 
 <beans:bean id='userDetailsService' class='org.intan.pedigree.service.UserDetailsServiceImpl'></beans:bean>
 <context:component-scan base-package='org.intan.pedigree' />
 
 <http auto-config='true'>
  <intercept-url pattern='/admin/**' access='ROLE_ADMIN' />
  <intercept-url pattern='/user/**' access='ROLE_REGISTERED_USER' />
  <intercept-url pattern='/kennel/**' access='ROLE_KENNEL_OWNER' />
  <!-- <security:intercept-url pattern='/login.jsp' access='IS_AUTHENTICATED_ANONYMOUSLY' />  -->
 </http>

  <beans:bean id='daoAuthenticationProvider'
  class='org.springframework.security.authentication.dao.DaoAuthenticationProvider'>
  <beans:property name='userDetailsService' ref='userDetailsService' />
 </beans:bean>

 <beans:bean id='authenticationManager'
  class='org.springframework.security.authentication.ProviderManager'>
  <beans:property name='providers'>
   <beans:list>
    <beans:ref local='daoAuthenticationProvider' />
   </beans:list>
  </beans:property>
 </beans:bean>

 <authentication-manager>
  <authentication-provider user-service-ref='userDetailsService'>
   <password-encoder hash='plaintext' />
  </authentication-provider>
 </authentication-manager>


</beans:beans>

In your web.xml put the following code in order to load the applicationContext-security.xml file.

 <context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>/WEB-INF/applicationContext-hibernate.xml
      /WEB-INF/applicationContext-security.xml
  </param-value>
 </context-param>

Last of all, excuse any typing mistakes etc, as this code is just copy and paste from personal work that I have done, if something does not work please post the question and I will be more than happy to assist you.

Reference: Spring 3, Spring Security Implementing Custom UserDetails with Hibernate from our JCG partner Ioannis Dadis at the Giannisapi blog.

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
ritesh
ritesh
9 years ago

can you please send me the whole code for this application in executable mode as i am newbie for spring security.
thanks in advance

hjd
hjd
9 years ago

I code project like this,but concurrency-control can’t be work ? can you ?

Stefan
Stefan
8 years ago

Thanks and all but this code is terrible to read. The indentation is wrong and there are too many useless empty lines..

Mayur
Mayur
8 years ago

Hello… I want to know that why (@Transactional) is required on loadByUserName().
If I skip that would it create any problem?

Back to top button