Adding new users in Spring Security

Question

I have basic spring security set up in my Spring / Java EE web app. I can restrict access to certain pages and force login (with roles etc.). There needs to be a form where new users can register and specify a login name and password.

I am wondering if, to create new users, I simply query and update the appropriate spring security tables (e.g. using hibernate) as I would for any query, or is there built in functionality to create new users? If I am simply to use a standard DAO to update the users, how should I handle hashing of passwords?

Thanks!

Answer 1

You have to combine all of the answers on this page.

• Teja is correct, there is not facilitated way to add a user on the fly.
• Axtavt is also correct. You need some sort of data access/service layer to update your users table. In other words, you need to create the view like any other page with some kind of super user access.
• Michal and ax give good advice that you probably need to encode your password before saving it. The digest should match whatever you're using when you retrieve credentials.

Here's an example config using JDBC:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                         http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security
                         http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

    <global-method-security secured-annotations="enabled"/>

    <http auto-config="true" access-denied-page="/accessDenied.jsp">
        <!-- login page has anonymous access -->
        <intercept-url pattern="/login.jsp*" filters="none"/>
        <!-- all pages are authenticated -->
        <intercept-url pattern="/**.action" access="ROLE_USER, ROLE_ADMIN"  />  
        <!-- all admin contextual pages are authenticated by admin role -->
        <intercept-url pattern="/admin/**" access="ROLE_ADMIN"  />
        <form-login authentication-failure-url="/login.jsp?login_error=1" default-target-url="/index.action" login-page="/login.jsp"/>
        <logout logout-success-url="/index.action"/>
    </http>     

    <authentication-provider>
        <password-encoder hash="md5" /> 
        <jdbc-user-service data-source-ref="dataSource" 
            authorities-by-username-query="SELECT username, role AS authority FROM sweet_users WHERE username = ?"
            users-by-username-query="SELECT username, password, 1 AS enabled FROM sweet_users WHERE username = ?" />
    </authentication-provider>
</beans:beans>

This is using a custom query to obtain users. Spring Security expects a users table with username, password, and authority column names respectively, so do what you need to do to return those. You need to provide the data source.

If you created a page for adding users under the admin/ context, it would be authenticated according to this config.

Add a bean for your UserDao and/or UserService and/or AuthenticationService and pass it to your Users controller...

Answer 2

Spring Security has JdbcUserDetailsManager. It's a subclass of the default JDBC-based UserDetailsService with additional methods for creating users and so on. You can use it as a DAO instead of your own.

However password hashing should be handled explicitly. For example, if you use SHA hash, you can use ShaPasswordEncoder.encodePassword().

Answer 3

There is no such built in functionality for creating users in spring security. It is implemented only to secure resources based on the rules for users who are trying to login and access resources.