0

I want to implement the login/logout (authentication/authorization) system of my Spring 4 MVC application with Spring Security.

Currently I use a very simple hand-made implementation which basically does nothing more than comparing the entered username and MD5 hashed password with the database values by looking up the user by the username using a custom service method and comparing the encrypted passwords.

If the passwords match, the username of the logged in member is saved in the session and a ControllerAdvice looks up the Member object for the user using the username in the session prior to each request. The checkLogin method returns true is username and password match:

@Service("loginService")
@Transactional
public class LoginServiceImpl implements LoginService {

private MemberDao dao;

//more methods

@Override
public boolean checkLogin(String username, String password) {

    String hashedPassword = getPasswordHash(password);
    return dao.checkLogin(username, hashedPassword);

}
}

This does work but is not a very elegant solution, does not handle different roles and is probably not very secure. Besides I want to become familiar with Spring Security.

Reading the official tutorial for Spring Security (http://docs.spring.io/spring-security/site/docs/4.0.4.RELEASE/reference/htmlsingle/#tech-userdetailsservice) the way to go to authenticate against the Login service method does not become clear to me.

The tutorial discusses authentication direct against the database but I cannot find anything about using a Service method to perform the authentication and in my layered architecture, the database is hidden behind the Servoce and Dao (Hibernate) layers.

Also most examples in the tutorial use XML based instead of Java based configuration which I use for my application. After having search a lot with search engines, I still have not found a tutorial which implements Spring Security in a Spring MVC application using a familiar layered structure using a Service and Dao layer.

Do I need to bypass Service and DAO/Hibernate layers and authenticate directory against the database? Or write a custom authentication-provider implementing UserDetailsService as described in this post? Spring Security 3 database authentication with Hibernate

And is configuring Spring Security possible with Java based configuration only? I am a bit lost with this issue so I hope for some hints...

Community
  • 1
  • 1
klausch
  • 612
  • 2
  • 10
  • 22
  • Have you try with Custom Authentication Provider? – FreezY Mar 07 '16 at 01:42
  • This is created with xml based configuration. https://github.com/pallavJha/EventApp/tree/master/event-webapp/ – Pallav Jha Mar 07 '16 at 05:20
  • Custom authentication provider is probably a possible solution but does not address all my issues. Is is bad practice to authenticate directly against database qwhile bypassing Service and DAO/Hibernate layers? It does not feel very good with me... – klausch Mar 07 '16 at 09:43
  • I use DaoAuthenticationPRovider in combination with UserDetailsService (getting the user info from the Dao/Hibernate layer) and it works OK now. – klausch Mar 18 '16 at 17:18

0 Answers0