How do I configure Spring Security 2 database authentication with Hibernate 3 Annotated Classes?

Question

Hi,

I'm building an app using Hibernate 3 (with JPA Annotations), Spring 2.5 and Spring Security 2.0.5.

I want to know what I need to put in my <authentication-provider> tag in my spring security config file (applicationContext-security.xml) so that I can get Spring Security to use my existing Service layer class (AuthenticationService) which deals with my custom User and Role domain objects.

I understand that Spring Security requires two tables to be present with the following schema:

     create table users(
      username varchar_ignorecase(50) not null primary key,
      password varchar_ignorecase(50) not null,
      enabled boolean not null);

  create table authorities (
      username varchar_ignorecase(50) not null,
      authority varchar_ignorecase(50) not null,
      constraint fk_authorities_users foreign key(username) references users(username));

  create unique index ix_auth_username on authorities (username,authority);;

but I want to use my own domain objects which are different to the above table definitions.

Could someone please point me in the right direction here? I can't find any useful documentation and I'm not sure whether what I want to do is actually possible.

Thanks!

Answer 1

Define your custom AutenticationManager using <bean id="myAuthenticationManager" class="com.security.MyAuthunticationManager"/> and the MyAutenticationManager class should implement org.springframework.security.AuthenticationManager and override the method authenticate(Authentication authentication) in which you will use your custom service and domain objects to validate the user credentials and add his roles to authentication object.

Answer 2

You can implement a custom UserDetailsService as a bridge between your domain and Spring Security. Then you supply Spring Security with it as follows (for Spring Security 2.x):

<security:authentication-provider user-service-ref='myUserDetailsService'/>

<bean id="myUserDetailsService" class="... your implementation ...">
    ...
</bean>

Answer 3

Do what axtavt said, or if you don't need anything more than to hit a custom table, you can override the query:

<security:authentication-provider>
     <jdbc-user-service data-source-ref="dataSource" 
        authorities-by-username-query="SELECT u.username, a.authority FROM users u, authorities a WHERE u.username = a.username AND u.username = ?" />
        users-by-username-query="SELECT username, password, enabled FROM users WHERE username = ?" />
</security:authentication-provider>

I would do what axtavt suggest though. You can create a DTO (Data Transfer Object) that Implements the Spring Security User object. This will allow you to access pertinent data when retrieving the user from SecurityContextHolder:

Object o = SecurityContextHolder.getContext().getAuthentication().getDetails();
UserDetailsDTO u = (UserDetailsDTO) o;
User user = u.getUser();
// now you have primary key, etc., etc.

You really don't need that right now looking at your tables, but IMO, your schema needs work.