spring-securityuserdetailsservice

Spring's UserDetailsService


I'm trying to configure Spring Security in my Spring Boot application to only allow certain users access certain URL's if they have a particular role i.e a user or admin role that I store when I create my user. I've looked at a couple of examples here that pretty much do what I'm looking for. I'm a bit confused about Spring's UserDetailsService interface and how I should pass a username from my user to the UserDetailsService when trying to access a URL like localhost:8080/addtour. At the moment my code looks like the following:

@Data
@Scope("session")
public class User {

    @Id
    private String id;
    private String userName;
    private String password;
    private List<Role> roles;

My SecurityConfig class:

@Configuration 
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
        .formLogin()
            .loginPage("/login")
            .permitAll()
            .and()
        .exceptionHandling()
            .accessDeniedPage("/accessdenied")
            .and()
        .authorizeRequests()
            .antMatchers("/resources/**", "/signup", "/search").permitAll()
            .antMatchers("/viewtour").hasAnyRole("USER", "ADMIN")
            .antMatchers("/addtour").hasAnyRole("ADMIN")
            .and()
        .logout()
            .permitAll()
            .logoutSuccessUrl("/index.html");
    }

    @Override  
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {  
        auth.userDetailsService(new UserDetailServiceImpl());  
    }

The UserDetailServiceImpl that implements Springs UserDetailService:

public class UserDetailServiceImpl implements UserDetailsService {

    @Autowired
    private UserService userService;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        try {  
            User user = userService.retrieveUserByUserName(username);  
            if (user == null) {  
                return null;  
            }  
            return new org.springframework.security.core.userdetails.User(user.getUserName(), user.getPassword(), getAuthorities(user));  
        } catch (Exception e){  
            throw new UsernameNotFoundException("User not found");  
        }  
    }  

    private Set<GrantedAuthority> getAuthorities(User user){  
        Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();  
        for (Role role : user.getRoles()) {  
            GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(role.toString());  
            authorities.add(grantedAuthority);  
        }  
        System.out.println("user authorities are " + authorities.toString());  
        return authorities;  
    }

My Login Page using Thymeleaf:

<!DOCTYPE html SYSTEM "http://www.thymeleaf.org/dtd/xhtml1-strict-thymeleaf-spring4-4.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="css/style.css"/>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" />
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap-theme.min.css" />

</head>
<body>
	<div>
		<div class="content">
			<form action="#" th:action="@{/login}" th:object="${user}" method="post">
				<div class="panel panel-default">
					<br />
					<h1 class="panel-title header-tab">
						Login or <a href="/signup.html">Sign Up Here</a>
					</h1>
					<br />
					<div class="panel-body">
						<div class="form-group">
							<label for="inputEmail" class="control-label col-xs-5">Username
								or Email</label>
							<div class="col-xs-7">
								<input type="text" class="form-control" id="inputUsername" th:field="*{userName}" placeholder="Username or Email" />
							</div>
						</div>
						<br/><br/>
						<div class="form-group">
							<label for="inputPassword" class="control-label col-xs-5">Password</label>
							<div class="col-xs-7">
								<input type="password" class="form-control" id="inputPassword" th:field="*{password}" placeholder="Password" />
							</div>
						</div>
						<div class="form-group">
							<div class="col-xs-offset-5 col-xs-10">
								<div class="checkbox">
									<label><input type="checkbox" />Remember Me</label>
								</div>
							</div>
						</div>
						<div class="form-group">
							<div class="col-xs-offset-5 col-xs-7 btn-lg">
								<input type="submit" value="Sign In" class="btn btn-primary btn-block"/>
							</div>
						</div>
					</div>
				</div>
			</form>
		</div>
	</div>
</body>
</html>


Solution

  • The parameter names in your login page are wrong, see

    Change the names of the parameter in your login page or change the names in your SecurityConfig.