HowToDoInJava

Spring Security – JDBC User Service Example

By Lokesh Gupta | Filed Under: Spring Security

In previous post related to spring 3 security demo application using default user service in configuration file, we learned about securing an application behind a login page. In that post, username and passwords were stored in application-security.xml file itself. Now its time to take these authentication parameters out of configuration and store them in database.

There are two ways of doing this i.e. using custom user service implementation or spring provided jdbc user service. In this post, I am showing the way to use second approach i.e. jdbc user service.

Sections in this post:

Create tables in database
Update security configuration to use jdbc user service
Test the application

Background information

Apart from other inbuilt user details services inside spring container, JDBC user detail implementation is one of it. It is configured using tag “jdbc-user-service“.

Just like other spring features, this also comes with default implementation ready to use e.g.

	<authentication-manager alias="authenticationManager">
		<authentication-provider>
			<jdbc-user-service data-source-ref="dataSource" />
		</authentication-provider>
	</authentication-manager>

Above been definition will use the default tables in configured database. It assumes to be:

 create table users(
      username varchar_ignorecase(50) not null primary key,
      password varchar_ignorecase(50) not null,
      enabled boolean not null);

  create table authorities (
      username varchar_ignorecase(50) not null,
      authority varchar_ignorecase(50) not null,
      constraint fk_authorities_users foreign key(username) references users(username));
      create unique index ix_auth_username on authorities (username,authority);

BUT, in my example, I have created two tables according to my choice and have decided to feed data to jdbc user service using sql queries.

Create tables in database

So lets create our own tables in database:

-- ----------------------------
-- Table structure for `tbl_users`
-- ----------------------------
DROP TABLE IF EXISTS `tbl_users`;
CREATE TABLE `tbl_users` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(100) NOT NULL,
  `password` varchar(20) NOT NULL,
  `enabled` int(1) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

Table for storing the role and username mapping.

-- ----------------------------
-- Table structure for `tbl_user_role`
-- ----------------------------
DROP TABLE IF EXISTS `tbl_user_role`;
CREATE TABLE `tbl_user_role` (
  `userid` int(11) NOT NULL,
  `rolename` varchar(100) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

These tables have all required information like username, password, enabled status and assigned role. JDBC user service require these values only for a username provided as parameter.These values will be fetched with following sql queries:

SELECT USERNAME, PASSWORD, CASE ENABLED WHEN 1 THEN 'true' ELSE 'false' END 'ENABLED' FROM TBL_USERS WHERE USERNAME=?;

+----------+----------+---------+
| USERNAME | PASSWORD | ENABLED |
+----------+----------+---------+
| lokesh   | password | true    |
+----------+----------+---------+

Query to select role name.

SELECT u.USERNAME, r.ROLENAME
FROM TBL_USERS u, TBL_USER_ROLE r
WHERE u.ID = r.USERID
AND u.USERNAME=?;

+----------+-----------+
| USERNAME | ROLENAME  |
+----------+-----------+
| lokesh   | ROLE_USER |
+----------+-----------+

Update security configuration to use jdbc user service

This can be done as follows:

	<authentication-manager alias="authenticationManager">
		<authentication-provider>
			<jdbc-user-service data-source-ref="dataSource"
 
		   users-by-username-query="
		     SELECT USERNAME, PASSWORD, CASE ENABLED WHEN 1 THEN 'true' ELSE 'false' END 'ENABLED' 
		     FROM TBL_USERS 
		     WHERE USERNAME=?;"
 
		   authorities-by-username-query="
		    SELECT u.USERNAME, r.ROLENAME 
			FROM TBL_USERS u, TBL_USER_ROLE r
			WHERE u.ID = r.USERID
			AND u.USERNAME=?;"
 
			/>
		</authentication-provider>
	</authentication-manager>

JDBC user service implementation provide these two attributes to match username with password and then username with granted role or authority.

  1. users-by-username-query
  2. authorities-by-username-query

Test the application

Now build and run above application again in application server. It will behave exactly the way authentication/ authorization worked for xml configuration in previous tutorial.

Download sourcecode

Happy Learning !!

LinkedinRedditPocket

About Lokesh Gupta

A family guy with fun loving nature. Love computers, programming and solving everyday problems. Find me on Facebook and Twitter.

14 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Akshay
9 months ago

How do we get access to dataSource?

0
dty
1 year ago

please add

 
<http>
  <!-- ... -->
  <csrf disabled="true"/>
</http>
0
ayman
2 years ago

how it authenticate or varify the password?

0
Syam
3 years ago

Here How to get the USERNAME value if user failed to login?

0
Tushar Goel
3 years ago

How to handle a case when user assigned multiple roles?

0
eriks
4 years ago
  It's works!! thanks dear, for saving my day!
0
Kartik
4 years ago

How do I get user ID ?

0
Author
Lokesh Gupta
4 years ago
Reply to  Kartik

You can execute a sql query separately using username/email in where clause. For auth purpose, you don’t need user id. right?

0
Partha
5 years ago

what is the use of enabled

0
Author
Lokesh Gupta
5 years ago
Reply to  Partha

Whether user is active or not.

0
ML
5 years ago

Excellent example, thank you. How would one do this with encryption on the password field for MSSQL server?

0
Mike
6 years ago

How about implementing Remember me with persistent tokens (persistent_logins table in database)?
Thanks

0
Author
Lokesh Gupta
6 years ago
Reply to  Mike

I will try

0
Anonymous
7 years ago

Good, thanks for the example

0