Ignore username's case in SpringSecurity

Question

Does SpringSecurity have some built-in ability to ignore the letter-case of username? For example, if the username is "student001", then it will accept "Student001" as well as "stUdent001".

The reason I need this is that our system use emails as usernames. Of course I would be able to do this by extending the DAOAuthenticationProvider class, but I just wonder if there's any built-in option exists for this problem?

Answer 1

If you're using the DaoAuthenticationProvider then I presume you're using the JdbcDaoImpl with it, which loads users from a JDBC database.

If so, you can override the SQL query that JdbcDaoImpl uses to look up users by manually creating the bean yourself. The default query that Spring Security uses is:

select username,password,enabled from users where username = ?

You can use the SQL lower function to ignore case:

select username,password,enabled from users where lower(username) = lower(?)

The appropriate Spring Security XML configuration is:

<bean id="org.springframework.security.authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <property name="providers">
        <list>
            <ref bean="daoAuthenticationProvider"/>
        </list>
    </property>
</bean>

<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="caseInsensitiveUserDetailsService"/>
</bean>

<bean id="caseInsensitiveUserDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <property name="usersByUsernameQuery" value="select username, password, enabled from users where lower(username) = lower(?)" />
</bean>

Answer 2

I believe any authentication provider take advantage of the UserDetails and UserDetailsService interfaces.

When an implementation of

UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;

is given for custom application specific UserDetailsService, we can ignore the case of username and provide the UserDetails to the spring-security to proceed with further authentication/authorization.

BUT, if spring provided org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl is used as UserDetailsService it will load the userdetails from user table with condition "where username=?". So it is case-sensitive.

Answer 3

gutch is partially right. It allows user with JdbcDaoImpl does case-insensitive check with user table. But you will require Authorities table query also needs to be changed.

<bean id="caseInsensitiveUserDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <property name="usersByUsernameQuery" value="select username, password, enabled from users where lower(username) = lower(?)" />
    <property name="authoritiesByUsernameQuery" value="select username,authority " +
        "from authorities where lower(username) = lower(?)" />
</bean>