• Java
    • JAXB Tutorial
      • What is JAXB
      • JAXB Marshalling Example
      • JAXB UnMarshalling Example
  • Spring Tutorial
    • Spring Core Tutorial
    • Spring MVC Tutorial
      • Quick Start
        • Flow Diagram
        • Hello World Example
        • Form Handling Example
      • Handler Mapping
        • BeanNameUrlHandlerMapping
        • ControllerClassNameHandlerMapping
        • SimpleUrlHandlerMapping
      • Validation & Exception Handling
        • Validation+Annotations
        • Validation+ResourceBundle
        • @ExceptionHandler
        • @ControllerAdvice
        • Custom Exception Handling
      • Form Tag Library
        • Textbox Example
        • TextArea Example
        • Password Example
        • Dropdown Box Example
        • Checkboxes Example
        • Radiobuttons Example
        • HiddenValue Example
      • Misc
        • Change Config file name
    • Spring Boot Tutorial
  • Hibernate Tutorial
  • REST Tutorial
    • JAX-RS REST @PathParam Example
    • JAX-RS REST @QueryParam Example
    • JAX-RS REST @DefaultValue Example
    • JAX-RS REST @Context Example
    • JAX-RS REST @MatrixParam Example
    • JAX-RS REST @FormParam Example
    • JAX-RS REST @Produces Example
    • JAX-RS REST @Consumes Example
    • JAX-RS REST @Produces both XML and JSON Example
    • JAX-RS REST @Consumes both XML and JSON Example
  • Miscellaneous
    • JSON Parser
      • Read a JSON file
      • Write JSON object to File
      • Read / Write JSON using GSON
      • Java Object to JSON using JAXB
    • CSV Parser
      • Read / Write CSV file
      • Read/Parse/Write CSV File – OpenCSV
      • Export data into a CSV File
      • CsvToBean and BeanToCsv – OpenCSV

JavaInterviewPoint

Java Development Tutorials

Spring Security – Custom UserDetailsService Example | InMemory & Database Authentication

September 11, 2019 by javainterviewpoint Leave a Comment

Previously we have learned about InMemoryUserDetailManager and JdbcUserDetailsManager. UserDetailsService is the core interface which is responsible for providing the User information to the AuthenticationManager. In this article, we will create a Custom UserDetailsService retrieves the user details from both InMemory and JDBC.

UserDetailsService provides the loadUserByUsername to which the username obtained from the login page should be passed and it returns the matching UserDetails.

In our Custom UserDetailsService, we will be overriding the loadUserByUsername which reads the local in-memory user details or the user details from the database.

Folder Structure:

Folder Structure -Spring Custom User Details Service

  1. Create a simple Maven Project “SpringCustomUserDetailsService” and create a package for our source files “com.javainterviewpoint.config” and “com.javainterviewpoint.controller” under src/main/java
  2. Now add the following dependency in the POM.xml
    <project xmlns="http://maven.apache.org/POM/4.0.0"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    	<modelVersion>4.0.0</modelVersion>
    	<groupId>com.javainterviewpoint</groupId>
    	<artifactId>SpringSecurity10</artifactId>
    	<packaging>war</packaging>
    	<version>0.0.1-SNAPSHOT</version>
    	<name>SpringCustomUserDetailsService Maven Webapp</name>
    	<url>http://maven.apache.org</url>
    	<properties>
    		<maven.compiler.source>1.8</maven.compiler.source>
    		<maven.compiler.target>1.8</maven.compiler.target>
    	</properties>
    
    	<dependencies>
    		<dependency>
    			<groupId>org.springframework</groupId>
    			<artifactId>spring-webmvc</artifactId>
    			<version>5.1.8.RELEASE</version>
    		</dependency>
    		<dependency>
    			<groupId>org.springframework</groupId>
    			<artifactId>spring-jdbc</artifactId>
    			<version>5.1.8.RELEASE</version>
    		</dependency>
    		<dependency>
    			<groupId>org.springframework.security</groupId>
    			<artifactId>spring-security-web</artifactId>
    			<version>5.1.5.RELEASE</version>
    		</dependency>
    		<dependency>
    			<groupId>org.springframework.security</groupId>
    			<artifactId>spring-security-config</artifactId>
    			<version>5.1.5.RELEASE</version>
    		</dependency>
    		<dependency>
    			<groupId>com.fasterxml.jackson.core</groupId>
    			<artifactId>jackson-databind</artifactId>
    			<version>2.9.9.1</version>
    		</dependency>
    		<dependency>
    			<groupId>com.fasterxml.jackson.core</groupId>
    			<artifactId>jackson-annotations</artifactId>
    			<version>2.9.9</version>
    		</dependency>
    
    		<dependency>
    			<groupId>javax.servlet</groupId>
    			<artifactId>javax.servlet-api</artifactId>
    			<version>4.0.1</version>
    		</dependency>
    		<dependency>
    			<groupId>javax.servlet.jsp</groupId>
    			<artifactId>javax.servlet.jsp-api</artifactId>
    			<version>2.3.3</version>
    			<scope>provided</scope>
    		</dependency>
    		<dependency>
    			<groupId>javax.servlet</groupId>
    			<artifactId>jstl</artifactId>
    			<version>1.2</version>
    		</dependency>
    
    	</dependencies>
    	<build>
    		<finalName>SpringCustomUserDetailsService</finalName>
    		<pluginManagement>
    			<plugins>
    				<plugin>
    					<groupId>org.apache.maven.plugins</groupId>
    					<artifactId>maven-war-plugin</artifactId>
    					<version>3.2.3</version>
    					<configuration>
    						<failOnMissingWebXml>false</failOnMissingWebXml>
    					</configuration>
    				</plugin>
    			</plugins>
    		</pluginManagement>
    	</build>
    </project>
  3. Create the Java class ServletInitializer.java, SpringSecurityConfig.java, SpringConfig.java, UserInformation.java and SecurityInitializer.java under com.javainterviewpoint.config and EmployeeController.java under com.javainterviewpoint.controller folder.

Other interesting articles which you may like …

  • Spring Security – JdbcUserDetailsManager Example
  • Spring Security – InMemoryUserDetailsManager Example
  • Spring Security Tutorial Hello World Example
  • Spring Security Annotation Configuration Example
  • Spring Security Database Authentication Example
  • Spring Security REST Basic Authentication
  • Spring Boot Security Basic Authentication
  • Spring Boot Security Database Authentication Example
  • context:annotation-config vs context:component-scan
  • Spring MVC BeanNameUrlHandlerMapping Example
  • Spring MVC ControllerClassNameHandlerMapping Example
  • Spring MVC SimpleUrlHandlerMapping Example
  • Spring REST Hello World Example – JSON and XML responses
  • ClassNotFoundException: org.springframework.web.context.ContextLoaderListener
  • Fix missing src/main/java folder in Eclipse Maven Project – 2 build path entries are missing
  • Spring MVC CRUD Example with MySql + JdbcTemplate
  • RESTful Java Client With Jersey Client
  • RESTEasy Hello World Example with Apache Tomcat
  • RESTful Java client with RESTEasy client
  • Spring RESTful Web Services Hello World XML Example
  • Springfox Swagger 2 for Spring RESTful Web Services

Spring Security – Custom UserDetailsService Example – InMemory Authentication

Spring Security Custom UserDetailsService Example

Spring Configuration

package com.javainterviewpoint.config;

import javax.sql.DataSource;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.jdbc.datasource.DriverManagerDataSource;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;

@Configuration
@EnableWebMvc
@ComponentScan(basePackages = {"com.javainterviewpoint"})
public class SpringConfig
{
	
}

For now, we will not have any configurations in our SpringConfig file, later we will be adding the datasource and jdbcTemplate details.

  • @Configuration annotation indicates that this class declares one or more @Bean methods which will be processed by the Spring container to generate bean definitions
  • @EnableWebMvc is equivalent to <mvc:annotation-driven />. It enables support for @Controller, @RestController, etc.. annotated classes
  • @ComponentScan scans for the Stereotype annotations within the package mentioned in the basePackage attribute.

Spring Security Configuration – JdbcUserDetailsManager

package com.javainterviewpoint.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
{

	@Autowired
	public CustomUserDetailsService customUserDetailsService;
	
	@Override
	protected void configure(AuthenticationManagerBuilder auth) throws Exception
	{
		auth.userDetailsService(customUserDetailsService);
	}

	@Override
	protected void configure(HttpSecurity http) throws Exception
	{
		http.authorizeRequests()
			.antMatchers("/employee/**").hasRole("USER")
			.antMatchers("/manager/**").hasRole("MANAGER")
			.anyRequest().authenticated()
			.and()
			.httpBasic()
			.and()
			.csrf().disable();
	}
	
	@Bean
	public PasswordEncoder passwordEncoder()
	{
		return new BCryptPasswordEncoder();
	}
	
}
  • @EnableWebSecurity annotation enables spring security configuration which is defined in WebSecurityConfigurerAdapter
  • We have extended WebSecurityConfigurerAdapter, which allows us to override spring’s security default feature. In our example we want all the requests to be authenticated using the custom authentication.
  • configure(HttpSecurity http) method configures the HttpSecurity class which authorizes each HTTP request which has been made. In our example ‘/employee/**’ should be allowed for the user with USER role and ‘/manager/**’ should be allowed for the user with MANAGER role.
    • authorizeRequests() .antMatchers(“/employee/**”).hasRole(“USER”) .antMatchers(“/manager/**”).hasRole(“MANAGER”) –> All requests must be authorized or else they should be rejected.
    • httpBasic() –> Enables the Basic Authentication
    • .csrf().disable() –> Enables CSRF protection
        @Override
	protected void configure(HttpSecurity http) throws Exception
	{
		http
			.authorizeRequests()
			.antMatchers("/employee/**").hasRole("USER")
			.antMatchers("/manager/**").hasRole("MANAGER")
			.anyRequest().authenticated()
			.and()
			.httpBasic()
			.and()
			.csrf().disable();
	}
  • configure(AuthenticationManagerBuilder auth) method configures the AuthenticationManagerBuilder class with the valid credentials and the allowed roles. The AuthenticationManagerBuilder class creates the AuthenticationManger which is responsible for authenticating the credentials. In our example, we have used the CustomUserDetailsService as the UserDetailsService

Custom UserDetailsService

package com.javainterviewpoint.config;

import java.util.ArrayList;
import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;

@Service
public class CustomUserDetailsService implements UserDetailsService
{
	@Autowired
	public PasswordEncoder passwordEncoder;

	@Override
	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
	{
		List<UserDetails> userDetailsList = populateUserDetails();
		
		for (UserDetails u : userDetailsList)
		{
			if (u.getUsername().equals(username))
			{
				return u;
			}
		}
		return null;
	}

	public List<UserDetails> populateUserDetails()
	{
		List<UserDetails> userDetailsList = new ArrayList<>();
		userDetailsList
				.add(User.withUsername("employee").password(passwordEncoder.encode("pass")).roles("USER").build());
		userDetailsList
				.add(User.withUsername("manager").password(passwordEncoder.encode("pass")).roles("USER","MANAGER").build());
		
		return userDetailsList;
	}

}

We have implemented the UserDetailsService interface and overridden the loadUserByUsername method.

The username obtained from the login form will be passed to the loadUserByUsername method and validated against the in-memory userdetails obtained from populateUserDetails() method.

We have created 2 users “employee” and “manager”, the employee has USER role and manager has USER, MANAGER roles

Registering Spring Security Filter

Spring Security will be implemented using DelegatingFilterProxy, in order to register it with the Spring container we will be extending AbstractSecurityWebApplicationInitializer. This will enable Spring to register DelegatingFilterProxy and use the springSecurityFilterChain Filter

package com.javainterviewpoint.config;

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;

public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer
{

}

ServletInitializer

From Servlet 3.0 onwards, ServletContext can be programmatically configured and hence web.xml is not required.

We have extended AbstractAnnotationConfigDispatcherServletInitializer class which in turn implements WebApplicationInitializer, the WebApplicationInitializer configures the ServletContext

package com.javainterviewpoint.config;

import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;

public class ServletInitializer extends AbstractAnnotationConfigDispatcherServletInitializer
{
	@Override
	protected Class<?>[] getRootConfigClasses()
	{
		return null;
	}

	@Override
	protected Class<?>[] getServletConfigClasses()
	{
		return new Class[] {SpringConfig.class};
	}

	@Override
	protected String[] getServletMappings()
	{
		return new String[] {"/"};
	}
}

EmployeeController

package com.javainterviewpoint.controller;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class EmployeeController
{
	@GetMapping("/employee")
	public String welcomeEmployee()
	{
		return "Welcome Employee";
	}

	@GetMapping("/manager")
	public String welcomeManager()
	{
		return "Welcome Manager";
	}
}

Output:

Hit on the URL: http://localhost:8080/SpringCustomUserDetailsService/employee

With “Basic Auth” as authentication type and key in the valid employee credentials [employee/pass]

Custom UserDetailsService Example

The employees should not be allowed to access Manager service as they have the “USER” role only.

Hit on the URL: http://localhost:8080/SpringCustomUserDetailsService/employee

With “Basic Auth” as authentication type and key in the valid employee credentials [employee/pass]

Custom UserDetailsService Example 1

Spring Security – Custom UserDetailsService Example – Database Authentication

Create the below tables

CREATE  TABLE users (
  username VARCHAR(45) NOT NULL ,
  password VARCHAR(60) NOT NULL ,
  PRIMARY KEY (username));
  
CREATE TABLE authorities (
  username VARCHAR(45) NOT NULL,
  authority VARCHAR(60) NOT NULL,
  FOREIGN KEY (username) REFERENCES users (username));
  
  
INSERT INTO users VALUES ('employee','$2a$10$.Rxx4JnuX8OGJTIOCXn76euuB3dIGHHrkX9tswYt9ECKjAGyms30W');
INSERT INTO users VALUES ('manager','$2a$10$.Rxx4JnuX8OGJTIOCXn76euuB3dIGHHrkX9tswYt9ECKjAGyms30W');

INSERT INTO authorities VALUES ('employee', 'USER');
INSERT INTO authorities VALUES ('manager', 'MANAGER');

Note: We need to encode the password with Bcrypt Encryption Algorithm before persisting, In the above SQL “pass” is encrypted as “$2a$10$.Rxx4JnuX8OGJTIOCXn76euuB3dIGHHrkX9tswYt9ECKjAGyms30W”

SpringConfig.java

We have added DataSource and JdbcTemplate beans in the Spring Configuration file.

package com.javainterviewpoint.config;

import javax.sql.DataSource;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.datasource.DriverManagerDataSource;
import org.springframework.security.provisioning.JdbcUserDetailsManager;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;

@Configuration
@EnableWebMvc
@ComponentScan(basePackages =
{ "com.javainterviewpoint" })
public class SpringConfig
{
	@Bean
	public DataSource getDataSource()
	{
		DriverManagerDataSource dataSource = new DriverManagerDataSource();
		dataSource.setDriverClassName("com.mysql.jdbc.Driver");
		dataSource.setUrl("jdbc:mysql://localhost:3306/mydb");
		dataSource.setUsername("root");
		dataSource.setPassword("root");
		return dataSource;
	}

	@Bean
	public JdbcTemplate jdbcTemplate()
	{
		JdbcTemplate jdbcTemplate = new JdbcTemplate();
		jdbcTemplate.setDataSource(getDataSource());
		return jdbcTemplate;
	}
}

UserInformation.java

The UserInformation class holds the username, password, and authority of the users.

package com.javainterviewpoint.config;

import org.springframework.stereotype.Repository;

@Repository
public class UserInformation
{
    private String username;
    private String password;
    private String authority;
    public UserInformation()
    {
        super();
    }
    public UserInformation(String username, String password, String authority)
    {
        super();
        this.username = username;
        this.password = password;
        this.authority = authority;
    }
    public String getUsername()
    {
        return username;
    }
    public void setUsername(String username)
    {
        this.username = username;
    }
    public String getPassword()
    {
        return password;
    }
    public void setPassword(String password)
    {
        this.password = password;
    }
    public String getAuthority()
    {
        return authority;
    }
    public void setAuthority(String authority)
    {
        this.authority = authority;
    }
    @Override
    public String toString()
    {
        return "UserInformation [username=" + username + ", password=" + password + ", authority=" + authority + "]";
    }
}

CustomUserDetailsService.java

In our CustomUserDetailsService, we will be querying the Users and Authorities table to get the user information.

If the username matches, then it will create and return the UserDetails object with the corresponding username, password, and authority.

package com.javainterviewpoint.config;

import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;

@Service
public class CustomUserDetailsService implements UserDetailsService
{
    @Autowired
    public PasswordEncoder passwordEncoder;
    
    @Autowired
    public JdbcTemplate jdbcTemplate;
    
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
    {
        List<UserInformation> userInformationList = jdbcTemplate.query("SELECT u.username , "
        + "u.password , a.authority role FROM users u INNER JOIN authorities a on u.username=a.username "
        + "WHERE u.username = ?", new Object[]{username}, new RowMapper<UserInformation>()
                {
                    @Override
                    public UserInformation mapRow(ResultSet rs, int rowNum) throws SQLException
                    {
                        UserInformation userInfo = new UserInformation();
                        userInfo.setUsername(rs.getString(1));
                        userInfo.setPassword(rs.getString(2));
                        userInfo.setAuthority(rs.getString(3));
                        return userInfo;
                    }
                    
                });
        
        for(UserInformation u : userInformationList)
        {
            if(u.getUsername().equals(username))
            {
                return User.withUsername(u.getUsername())
                        .password(u.getPassword())
                        .roles(u.getAuthority()).build();
            }
                
        }
        return null;
    }
}

    Download Source Code

Happy Learning !!

Filed Under: Java, Spring, Spring Security Tagged With: Custom UserDetailsService, Spring Security, UserDetailsService

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Java Basics

  • JVM Architecture
  • Object in Java
  • Class in Java
  • How to Set Classpath for Java in Windows
  • Components of JDK
  • Decompiling a class file
  • Use of Class.forName in java
  • Use Class.forName in SQL JDBC

Oops Concepts

  • Inheritance in Java
  • Types of Inheritance in Java
  • Single Inheritance in Java
  • Multiple Inheritance in Java
  • Multilevel Inheritance in Java
  • Hierarchical Inheritance in Java
  • Hybrid Inheritance in Java
  • Polymorphism in Java – Method Overloading and Overriding
  • Types of Polymorphism in java
  • Method Overriding in Java
  • Can we Overload static methods in Java
  • Can we Override static methods in Java
  • Java Constructor Overloading
  • Java Method Overloading Example
  • Encapsulation in Java with Example
  • Constructor in Java
  • Constructor in an Interface?
  • Parameterized Constructor in Java
  • Constructor Chaining with example
  • What is the use of a Private Constructors in Java
  • Interface in Java
  • What is Marker Interface
  • Abstract Class in Java

Java Keywords

  • Java this keyword
  • Java super keyword
  • Final Keyword in Java
  • static Keyword in Java
  • Static Import
  • Transient Keyword

Miscellaneous

  • newInstance() method
  • How does Hashmap works internally in Java
  • Java Ternary operator
  • How System.out.println() really work?
  • Autoboxing and Unboxing Examples
  • Serialization and Deserialization in Java with Example
  • Generate SerialVersionUID in Java
  • How to make a class Immutable in Java
  • Differences betwen HashMap and Hashtable
  • Difference between Enumeration and Iterator ?
  • Difference between fail-fast and fail-safe Iterator
  • Difference Between Interface and Abstract Class in Java
  • Difference between equals() and ==
  • Sort Objects in a ArrayList using Java Comparable Interface
  • Sort Objects in a ArrayList using Java Comparator

Follow

  • Coding Utils

Useful Links

  • Spring 4.1.x Documentation
  • Spring 3.2.x Documentation
  • Spring 2.5.x Documentation
  • Java 6 API
  • Java 7 API
  • Java 8 API
  • Java EE 5 Tutorial
  • Java EE 6 Tutorial
  • Java EE 7 Tutorial
  • Maven Repository
  • Hibernate ORM

About JavaInterviewPoint

javainterviewpoint.com is a tech blog dedicated to all Java/J2EE developers and Web Developers. We publish useful tutorials on Java, J2EE and all latest frameworks.

All examples and tutorials posted here are very well tested in our development environment.

Connect with us on Facebook | Privacy Policy | Sitemap

Copyright ©2023 · Java Interview Point - All Rights Are Reserved ·