Spring security with database and multiple roles?

Question

I'm trying to make an application using spring 3.0. Now I've decided to try my hand at spring-security and hibernate. I've already seen that it's possible to back it with a databasem and I've seen a reference to defining your own queries?

Now the problem I have is that the tutorials I've been finding aren't too clear and that they assume that a user can only have one role. I want to give some users multiple roles.

So I was thinking about a database scheme along the lines of:

User:

• user_id
• username
• password
• registrationDate

User_Role:

• user_id
• role_id

Role:

• role_id
• rolename

Now I was wondering if anyone had some pointers to some usefull tutorials/advice/comments.

Answer 1

You need to implement you're own UserDetails (supports multiple roles for each user). This custom UserDetails implementation is then returned by you're own UserDetailsService implementation that's injected on you're daoAuthenticationProvider.

See also my answer @ Spring Security 3 database authentication with Hibernate for a complete example.

Answer 2

Something like this:

public class CustomUserService implements UserDetailsService {

   private UserDao userDao;

   public CustomUserService(UserDao u) {
      userDao = u;
   }

   public UserDetails loadUserByUsername(String username) {
      CustomUser user = userDao.getUser(username);
      if (user == null)
         throw new UserNotFoundException("User "+username+" does not exist");
      return user;
   }
}

And your UserDao implementation is a simple DAO that can easily use hibernate annotations and assign multple roles to your CustomUser object. Pretty basic.