Friday, January 13, 2012

Spring Security 3.1 - Implement UserDetailsService with Spring Data JPA (Part 1)

In this tutorial, we will create a simple Spring MVC application and secure it with Spring Security 3.1. We have a custom database schema where we will retrieve our authorized users and respective roles. Consequently, we will implement a custom UserDetailsService with the help of Spring Data JPA for quick implementation of JPA based repositories.


Dependencies

  • Spring core 3.1.0.RELEASE
  • Spring Security 3.1.0.RELEASE
  • Spring Data JPA 1.1.0.M1
  • See pom.xml for details

Github

To access the source code, please visit the project's Github repository (click here)

Functional Specs

Before we start, we define our application's specs as follows:
  • Two types of users: admin and regular users
  • A login page that's accessible to all types of users, including unauthorized users
  • All other pages are visible to registered users only
  • A home page
  • A user page
  • An admin page which is visible only to admins

Database

As mentioned earlier, our application relies on a custom database schema to obtain its users.
The database contains two tables: user and role tables.


user and role table design

User table

The user table contains personal information of each user. Notice the password values are hashed using Md5.

user table

Role table

The role table contains role values of each user. We define a role value of 1 as an admin, while a role value of 2 as a regular user.

role table

Screenshots

Before we start the actual development, let's preview how our application should look like by providing screenshots. This is also a good way to clarify further the application's specs.

Login page
The login page contains two input fields: a username and a password field.

Login

Login failure page
When a user fails to login, the login page is displayed again with an error message Login Failure! at the bottom.

Login failure

User's view
When a regular user logs-in, the user should be redirected to the home page with Home, User, and Logout pages accessible to the user.

User's view

Admin's view
When an admin user logs-in, the user should be redirected to the home page with Home, User, Admin, and Logout pages accessible to the user.

Admin's view

Logout success page
When a user successfully logs out, the login page is displayed again with a success message Logout Success! at the bottom.

Logout success

Next

In the next section, we will discuss the project's structure and start writing the Java classes. Click here to proceed.
StumpleUpon DiggIt! Del.icio.us Blinklist Yahoo Furl Technorati Simpy Spurl Reddit Google I'm reading: Spring Security 3.1 - Implement UserDetailsService with Spring Data JPA (Part 1) ~ Twitter FaceBook

Subscribe by reader Subscribe by email Share

8 comments:

  1. /* Excuse me for my english */
    First, I thank Mr. Krams for this very interesting tutorial. and i wonder if
    someone can help me by posting an updated pom.xml for this project, in fact there is some problems in the "goldin" dependency.
    thank you

    ReplyDelete
    Replies
    1. Can you elaborate what specific problems are these?

      Delete
  2. No doubt this tutorial is interesting and useful in some way. But Spring JPA in real production... too many Spring...

    ReplyDelete
    Replies
    1. I don't see what's wrong with Spring JPA in real production. We use Spring JPA in production and it saved us development time. Adding a new query is just a matter of updating the interface.

      Delete
  3. Very thanks for this interesting tutorial.
    But it would be very helpful to add to this tutorial example how to implement
    internationalization and localization for Spring Security.
    I google a lot about this problem but find out only how to implement internationalization and localization
    for Spring MVC (for example http://blog.springsource.org/2009/12/21/mvc-simplifications-in-spring-3-0/).
    I can't found working example of Spring Security. I mean that I want to have change locale on the login page
    and get error message on the login page accordingly to this locale.
    I trying to implement my own decision for this problem, but it always get messages in system locale.

    Thank you

    ReplyDelete
  4. Hi, Is there anyway to define user roles in dynamically? instead of hard coding we can able to dynamically add/delete roles for a define entitlements.

    ReplyDelete
  5. Great job ! Thanks for this nice tutorial ;)

    ReplyDelete
  6. Hey Krams, I would like to ask you a question regarding a database schema of your example. I would suppose that if there are two tables for the user and his roles because one user can have one or many roles assigned. However, you are using OneToOne relationship with User and Role entity object further on. In this case I see no point of using two tables and entities there... We could have only user entity with additional "role" attribute.

    ReplyDelete