1

I have a sprig boot application and a neo4J database. My application.properties file looks like this:

spring.data.neo4j.uri = http://127.0.0.1:7474
spring.data.neo4j.username = neo4j
spring.data.neo4j.password = neo4jpass

The application has a basic user:

@NodeEntity
public class User {

  @GraphId
  private Long id;

  @Property (name="username")
  private String username;

  @Property (name="password")
  private String password;

  @Property (name="name")
  private String name;

  @Property (name="role")
  private String role;
}

A simple user repository:

public interface UserRepository extends GraphRepository<User>{
}

My current spring security configuration is:

@Configuration
@EnableWebSecurity
public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/","/index").permitAll()
            .anyRequest().authenticated()
        .and()
            .authorizeRequests()
            .antMatchers("/css/**”)
            .permitAll()
        .and()
            .authorizeRequests()
            .antMatchers("/resources/**")
            .permitAll();

        http
            .formLogin()
            .loginPage("/login")
            .defaultSuccessUrl("/home")
            .permitAll()
        .and()
            .logout()
            .permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }


    @Override
    public void configure(final WebSecurity web) throws Exception {
        web.ignoring()
                .antMatchers("/vendors/**", "/local/**");
    }

After logging in with the in memory authentication I can create, read and delete users. What I want to do is to replace the in memory authentication, and authenticate against the existing users within the database. What are my options here?

PaulB
  • 1,554
  • 2
  • 16
  • 34
  • Create a custom UserDetailService that can load a user by username from database, and then inject your datasource in above configuration in place of inMemoryAuthentication(). – Afridi Jul 17 '17 at 07:30
  • @Afridi I am a bit confused by the datasource part. I didn't use any datasource object and connect to the database through the neo4j datauri defined in the application.properties. Do you mean that I should create a custom data access object as shown here?: https://docs.spring.io/spring-boot/docs/current/reference/html/howto-data-access.html – PaulB Jul 17 '17 at 13:49
  • Yes, and as you are using Spring boot and application.properties file, so need need to define dataSource bean, just @Autowire dataSource object in configuration file, and then define a custom UserDetailService(to be used to retrieve user using username from Neo4j Database). For more info, check this: https://dzone.com/articles/spring-security-4-authenticate-and-authorize-users – Afridi Jul 17 '17 at 14:09

1 Answers1

0

You have some options here and it will depends about how professional and secure you want your application to be.

  1. You can simply put the real database information at your application.properties instead the local/in-memory one you are loading locally, so every time you load your application you will point to that database.
  2. If you are talking about deploy your application in many environments (dev, prod, whatever) you should have this configurations externalized and loaded as environment variables at the deploy moment (you have many ways to do that, depending your you will host your application). Using this case you will do what @Afridi said at the comments: create a DataSource bean to load the environment variables set at the deploy moment
  3. You can use external configuration files, so by the moment you run the generated .jar file you just need to pass extra parameters to use different configurations for your environment

For sure there are many other option to do the same thing, but these are some that you have. I hope I helped you, even so much time after the question.

Eduardo Meneses
  • 504
  • 3
  • 18