I have basic spring security set up in my Spring / Java EE web app. I can restrict access to certain pages and force login (with roles etc.). There needs to be a form where new users can register and specify a login name and password.
I am wondering if, to create new users, I simply query and update the appropriate spring security tables (e.g. using hibernate) as I would for any query, or is there built in functionality to create new users? If I am simply to use a standard DAO to update the users, how should I handle hashing of passwords?
Thanks!
You have to combine all of the answers on this page.
Here's an example config using JDBC:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<global-method-security secured-annotations="enabled"/>
<http auto-config="true" access-denied-page="/accessDenied.jsp">
<!-- login page has anonymous access -->
<intercept-url pattern="/login.jsp*" filters="none"/>
<!-- all pages are authenticated -->
<intercept-url pattern="/**.action" access="ROLE_USER, ROLE_ADMIN" />
<!-- all admin contextual pages are authenticated by admin role -->
<intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<form-login authentication-failure-url="/login.jsp?login_error=1" default-target-url="/index.action" login-page="/login.jsp"/>
<logout logout-success-url="/index.action"/>
</http>
<authentication-provider>
<password-encoder hash="md5" />
<jdbc-user-service data-source-ref="dataSource"
authorities-by-username-query="SELECT username, role AS authority FROM sweet_users WHERE username = ?"
users-by-username-query="SELECT username, password, 1 AS enabled FROM sweet_users WHERE username = ?" />
</authentication-provider>
</beans:beans>
This is using a custom query to obtain users. Spring Security expects a users table with username, password, and authority column names respectively, so do what you need to do to return those. You need to provide the data source.
If you created a page for adding users under the admin/ context, it would be authenticated according to this config.
Add a bean for your UserDao and/or UserService and/or AuthenticationService and pass it to your Users controller...
Spring Security has JdbcUserDetailsManager
. It's a subclass of the default JDBC-based UserDetailsService
with additional methods for creating users and so on. You can use it as a DAO instead of your own.
However password hashing should be handled explicitly. For example, if you use SHA hash, you can use ShaPasswordEncoder.encodePassword()
.
There is no such built in functionality for creating users in spring security. It is implemented only to secure resources based on the rules for users who are trying to login and access resources.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With