Raging Goblin

8 March 2013

Spring Roo 2: Spring Security with database backend

Filed under: Java,Spring Roo — Raging Goblin @ 11:07
Tags: ,

In the previous post we created a very simple logbook. In this post we will secure it to keep your logs private.

First, we have to expand our database model a little:
Database model
The following commands will adjust our existing application:

entity jpa --class ~.domain.LogUserRole 
field string --fieldName roleName
test integration 
focus --class ~.domain.LogUser
field boolean --fieldName enabled --notNull true
field set --fieldName roles --type ~.domain.LogUserRole

In order to create a secure application Spring Roo comes with a single command:

security setup

Executing this command provides you with all the stuff to lock down your application. However, if you rerun the application you will notice that everything is still open for prying eyes. You have to change the configuration of secure paths in the file applicationContext-security.xml. Change the intercept url patterns to:

<intercept-url pattern="/login"  access="permitAll" />
<intercept-url pattern="/resources/**"  access="permitAll" />
<intercept-url pattern="/**"  access="isAuthenticated()" />

Do not lock everything, because that will lock your login page as well ;). Note the order of the urls! These will be evaluated in the order listed and the first match will be used.

The usernames and passwords are configured in this file as well, and this is definitely not what you want. Normally you keep this stuff in a database. In order to use the LogUser object as credentials there is a little extra work to do.

If you look into LogUser.java you will notice the cascade type. In order to prevent Hibernate from removing the Role when you remove a LogUser, this has to be set to something like Persist:

@ManyToMany(cascade = CascadeType.PERSIST)
private Set roles = new HashSet();

And now comes the magic! Provide a ‘jdbc-user-service’ in the applicationContext-security.xml instead of the ‘user-service’. Replace:

  <password-encoder hash="sha-256" />
    <user name="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" authorities="ROLE_ADMIN" />
    <user name="user" password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" authorities="ROLE_USER" />


  <password-encoder hash="sha-256" />
    <jdbc-user-service data-source-ref="dataSource"
      users-by-username-query="SELECT U.username AS username, U.password as password, U.enabled as enabled FROM log_user U where U.username=?"
      authorities-by-username-query="SELECT U.username as username, R.role_name as authority FROM log_user U left join log_user_roles UR on U.id=UR.log_user left join log_user_role R on UR.roles = R.id WHERE U.username=?" />

Change these queries according to your own table- and column names. If you don’t know them, perform the command ‘perform tests’ which will generate the tables so you can put the proper names in the queries.

Last thing to do is insert a user in the database:

INSERT INTO `logbook`.`log_user` VALUES (NULL , 1, '8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918', 'admin', NULL);

Now the application is only accessible to the user admin with password admin.


1 Comment »

  1. […] post 1 we created a simple log application that is capable of storing messages in a database. In post 2 we gained a little privacy with the introduction of Spring Security. However, every post is visible […]

    Pingback by Spring Roo 3: Show only items belonging to logged in user | Raging Goblin — 18 March 2013 @ 11:58 | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a free website or blog at WordPress.com.

%d bloggers like this: