Spring security with database and multiple roles?

Question

I'm trying to make an application using spring 3.0. Now I've decided to try my hand at spring-security and hibernate. I've already seen that it's possible to back it with a databasem and I've seen a reference to defining your own queries?

Now the problem I have is that the tutorials I've been finding aren't too clear and that they assume that a user can only have one role. I want to give some users multiple roles.

So I was thinking about a database scheme along the lines of:

User:

• user_id
• username
• password
• registrationDate

User_Role:

• user_id
• role_id

Role:

• role_id
• rolename

Now I was wondering if anyone had some pointers to some usefull tutorials/advice/comments.

Answer 1

You need to implement your own UserDetails (supports multiple roles for each user). This custom UserDetails implementation is then returned by your own UserDetailsService implementation that's injected on your daoAuthenticationProvider.

See also my answer @ Spring Security 3 database authentication with Hibernate for a complete example.