4

I am new to Spring Security. I have a Spring Boot application with two different types of entities. Customers and employees. In Employees I have normal employees, admins and super users. Since I am using JPA, each entity has its own repository. How to model my UserDetailsService with loadUserByUsername since this is a common method to validate against many repositories. Is there anything that I am missing to model around my entities?

Additional Info:

In my design, I have two entities. Customer and Employee. Employee will have roles like NORMAL, ADMIN and SUPER_USER. Customer is a different entity.

Will there be two UserDetailsService and two AuthenticationProvider each pointing to its own table (Customer and Employee)?

PraveenKumar Lalasangi
  • 3,255
  • 1
  • 23
  • 47
zilcuanu
  • 3,451
  • 8
  • 52
  • 105
  • your question is very narrow, but you have much bigger requirement that you are missing in your question. Before asking question i suggest you to gather requirement. Let me help you in asking question. Do you have different set of users? Customers as different entity and employees as different entity. Employees can have role as `employee`, `admin` and `superuser`. If you make employee, admin, superuser separate tables it will be a bad design. I suggest you to have one entity/table for employee, admin and superuser. – PraveenKumar Lalasangi Sep 14 '19 at 11:59
  • you can have separate entity/table for customer. And do you have separate login interface for customer and employee. I think you need separate login pages/forms for employee and customers. Am i correct? – PraveenKumar Lalasangi Sep 14 '19 at 12:01
  • @PraveenKumarLalasangi Added the details in the question – zilcuanu Sep 14 '19 at 14:03

2 Answers2

3

As your requirement is to have multiple authentication entry points it is not as simple as Atul's answer.

What you need is

  1. You need to differentiate customer and employee while logging in. (Preferred way radio button)

  2. You need to implement your custom authentication filter i.e, implementation of UsernamePasswordAuthenticationFilter instead of spring-security provided default .formLogin()

  3. Create two UsernamePasswordAuthenticationToken as EmployeeUsernamePasswordAuthenticationToken and CustomerUsernamePasswordAuthenticationToken

  4. In your custom filter get userType from request and based on userType set authToken as empAuthToken or customerAuthToken to differentiate required authentication provider.

  5. Create AuthenticationProvider as EmployeeCustomAuthenticationProvider and CustomerCustomAuthenticationProvider where each AuthenticationProvider should be overridden supports method where AuthenticationProvider supports specific token either customerAuthToken or employeeAuthToken.

  6. Override authenticate method where authenticate method has been passed with Authentication parameter from which you can get both username and password which you can pass to any of you custom service to authenticate user and grant authorities required for user.

While implementing your CustomAuthenticationFilter it is also required to provide your custom authenticationSuccessHandler and AuthenticationFailureHandlers.

If you implement all above without any mistake you can avoid fallback authentication which spring-security provides by default if two customAuthenticationProviders are configured.

For more detail of implementing multiple authentication entry point using java configuration refer my answer given below Multiple AuthenticationProvider with different UsernamePasswordAuthToken to authenticate different login forms without fallback authentication

and also you can download working code from my github repository

PraveenKumar Lalasangi
  • 3,255
  • 1
  • 23
  • 47
1

"Will there be two UserDetailsService and two AuthenticationProvider each pointing to its own table (Customer and Employee)?" ..... The answer is yes.

Spring security has filter, UsernamePasswordAuthenticationFilter (check the name of the filter)where you can implement the specific implementation based on input type.

I did the same thing but for different auth mechanisms. But as per your requirement, it is possible what your looking for.

Atul
  • 3,043
  • 27
  • 39