Skip to main content

Spring Security part 2 - UserDetails

-

 We’ve all seen the infamous in-memory database with UserDetails as the base, but that’s just a high level example and isn’t useful in a production application. In this segment, I’m going to show you how to turn UserDetails into a useful security object.

Other Articles

If you’re new to Spring, you should take a look at Getting started with Spring Framework for Web Apps

UserDetails

You see and hear quite a bit about UserDetails but very few ways to actually implement it in production code. UserDetails is an interface you can add to your own User object, but in order to get access to it you need to also implement UserDetailsService as a component bean.

Spring Security will trigger this bean’s loadUserByUsername method after the user submits user/password but before it’s authenticated via the password. You return your own UserDetails object and allow spring security to determine if the user credentials match.

@Component
public class MyUserDetailsService implements UserDetailsService {

	@Override
	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
		// TODO Auto-generated method stub
		return null;
	}

}

To implement this you’ll want to implement the UserDetails interface on your own UserContext object. It’s recommended that you don’t implement this interface on your entity object since it’s mutable, so it’s better to create your own immutable object.

public class UserContext implements UserDetails {

    private final User user; // this is the entity bean
    ...
	private final List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();

	public UserContext() {}
	public UserContext(User user, List<GrantedAuthority> authorities) { 
		this.user = user;
		this.authorities = authorities;
	}

    ...
}

Now just implement your business logic to find the User in your database, set up the granted authorities for access and return your new UserContext.

@Component
public class MyUserDetailsService implements UserDetailsService {

	@Override
	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

        User user = userRepository.findByUsername(username);
        // check for user not found
        ...
        List<GrantedAuthority> grantedAuthoritites = roleRepository.findRoles(user.getId());
        UserContext userContext = new UserContext(user, grantedAuthoritites);

        return userContext;
	}

}

You now have your own UserContext on the SecurityContext which is much more useful and relevant to your application. Below I’ve created a helper class to quickly get the UserContext from Spring Security’s SecurityContextHolder.

public class SecurityUtils {
	private SecurityUtils() {}
		
	public static UserContext getUserContext() {
		Authentication authentication = getAuthentication();
		if (authentication.isAuthenticated()) {
			if (authentication.getPrincipal() instanceof UserContext) {
				UserContext loggedInUserContext = (UserContext) authentication.getPrincipal();
				return loggedInUserContext;
			}
		}
		return null;
	}

	public static Authentication getAuthentication() {
		SecurityContext context = SecurityContextHolder.getContext();		
		Authentication authentication = context.getAuthentication();
		if (null == authentication || (authentication.getPrincipal() instanceof String)) {
			authentication = new UsernamePasswordAuthenticationToken(null, null);
			authentication.setAuthenticated(false);
		}
		return authentication;
	}
	
	public static boolean isAuthenticated() {
		return getAuthentication().isAuthenticated();
	}
}

Comments

Post a Comment

Popular posts from this blog

Max Upload File Size in Spring Framework

-
  Spring framework comes preconfigured with default upload file size and max request size. You can modify the sizes with application settings. Settings max-file-size  specifies the maximum size permitted for uploaded files. The default is 1MB max-request-size  specifies the maximum size allowed for multipart/form-data requests. The default is 10MB. Error exceeding max file size Java with Spring 6 will throw a  MaxUploadSizeExceededException  exception when the max size is exceeded. threw exception [ Request processing failed: org . springframework . web . multipart . MaxUploadSizeExceededException : Maximum upload size exceeded ] with root cause org . apache . tomcat . util . http . fileupload . impl . FileSizeLimitExceededException : The field image exceeds its maximum permitted size of 1048576 bytes . at org . apache . tomcat . util . http . fileupload . impl . FileItemStreamImpl $ 1 . raiseError ( FileItemStreamImpl . java : 117 )...
Read more

Use Java Enums with JPA

-
Java Persistence API (JPA) is a widely used standard for object-relational mapping (ORM) in Java applications. One of the common challenges when working with JPA is mapping database columns to Java enums. This can be especially challenging if the database column is not a string, such as when using an integer or a byte as the database column type. In this article, we will explore how to use Java enums with JPA. Mapping Java enums to database columns Before we dive into the details of how to use Java enums with JPA, let's first discuss how JPA maps Java enums to database columns. JPA provides two basic ways to map Java enums to database columns: Ordinal-based mapping : This maps the enum's ordinal value (the position of each enum value in the enum declaration) to the database column. For example, if we have an enum named Status with values ACTIVE, INACTIVE, and SUSPENDED, ACTIVE will have an ordinal value of 0, INACTIVE will have an ordinal value of 1, and so on. Name-based mappi...
Read more

Spring Security part 3 - OidcUser

-
  In the last article, I showed you how to return your own   UserDetails   object via a bean interface for username/password authentication. But what if you want to use OAuth authentication too? Spring Security works differently with OAuth but with a little engineering we can bring it all together into a cohesive solution. Other Articles Architecture -  Spring Security Architecture Part 1 -  Security configuration Part 2 -  How to handle UserDetails gracefully Part 3 -  UserDetails for OAuth authentication Part 4 -  Handling GrantedAuthorities with custom roles/permissions Part 5 -  Security tags for Freemarker If you’re new to Spring, you should take a look at  Getting started with Spring Framework for Web Apps OidcUser You’ve already learned about  UserDetails  but do you know about its cousin [OidcUser](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/core/oidc/user/OidcUser.ht...
Read more