As always, Spring provides us with many ways of doing things. For implementing authentication, we have quite a range of techniques. There are really two choices we have to make: how to store users and how to retrieve users.
Storing users and passwords
Here are a few options for storing users and passwords with spring.
1. In our local database
2. In a spring security configuration file, like security-context.xml (with or without password encryption)
3. On an LDAP server
4. In another location
Retrieving user information
Here are a few options for retrieving the user information with spring.
(and don’t forget to check out this official reference. Some of the examples here are from section 2.2.3)
1. The JdbcUserDetailsManager
In the previous example, without realizing it, we have used the JdbcUserDetailsManager which is the
bean behind the jdbc-user-service that we configured in security-context.xml.
<security:authentication-manager> <security:authentication-provider> <security:jdbc-user-service data-source-ref="dataSource"/> </security:authentication-provider> </security:authentication-manager>
The JdbcUserDetailsManager assumes certain defaults, and queries the users table by itself, unless we specify something like this:
<jdbc-user-service data-source-ref="dataSource" authorities-by-username-query="select username,authority from users where username=?"/>
2. Retrieving users from an xml file
It’s possible to just configure all the users in an xml file. So, no need for the database here! I found this code example here. Of course, the passwords are not a big secret when you know that the encryption algorithm is MD5. Anyway, this example works just like the example above except there is no database.
<!-- Usernames/Passwords are rod/koala dianne/emu scott/wombat peter/opal --> <authentication-manager> <authentication-provider> <password-encoder hash="md5"/> <user-service> <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" /> <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" /> <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" /> <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>
3. Using your own custom implementation of UserDetailsService to get users
You can also create your own custom implementation of Spring Security’s UserDetailsService to get user information. If you call this bean “myUserDetailsService” in your application context, then you can authenticate against it like this:
<authentication-manager> <authentication-provider user-service-ref='myUserDetailsService'/> </authentication-manager>
4. Use an existing implementation of UserDetailsService
There already exist several implementations of UserDetailsService so you don’t have to create your own. Among these are CachingUserDetailsService, InMemoryDaoImpl, JdbcDaoImpl, JdbcUserDetailsManager, LdapUserDetailsManager, LdapUserDetailsService, UserDetailsServiceWrapper. Here’s how to configure JdbcDaoImpl. Note it has a dependency, the dataSource which we define in another configuration file.
<authentication-manager> <authentication-provider user-service-ref='myUserDetailsService'/> </authentication-manager> <beans:bean id="myUserDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> <beans:property name="dataSource" ref="dataSource"/> </beans:bean>
5. Use an LDAP Authentication Provider
I won’t attempt to explain this. Check out this great reference here for more information about that.