How to override default userDetailsService and passwordEncoder for spring-boot project
I have this `application.properties' file:
security.basic.enabled=false
spring.datasource.driver-class-name=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://localhost:5432/appdata
spring.datasource.username=kleber
spring.datasource.password=123456
spring.datasource.continue-on-error=true
sprinf.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.dialect=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.show-sql=true
spring.jpa.hibernate.ddl-auto=update
spring.jpa.generate-ddl=true
spring.thymeleaf.prefix=classpath:/templates/
spring.thymeleaf.suffix=.html
spring.thymeleaf.mode=HTML5
spring.thymeleaf.encoding=UTF-8
spring.thymeleaf.content-type=text/html
spring.thymeleaf.cache=false
spring.servlet.multipart.max-file-size=10MB
spring.servlet.multipart.max-request-size=10MB
spring.servlet.multipart.file-size-threshold=10MB
server.tomcat.max-http-post-size=10MB
and this App class:
@SpringBootApplication
@Controller
public class AppApplication extends SpringBootServletInitializer {
public static void main(String[] args) {
SpringApplication.run(AppApplication.class, args);
}
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(AppApplication.class);
}
@Bean
public WebSecurityCustomizer ignoringCustomizer() {
return (web) -> web
.ignoring()
.antMatchers("/", "/login", "/logout", "/register", "/error", "/css/**", "/js/**", "/img/**");
}
@Bean
public SpringSecurityDialect springSecurityDialect() {
return new SpringSecurityDialect();
}
@RequestMapping(value = "/")
public String index(Model model) {
return "index";
}
@RequestMapping(value = "/login")
public String login(Model model) {
return "login";
}
@RequestMapping(value = "/register", method=RequestMethod.GET)
public String register(Model model) {
model.addAttribute("obj", new Usuario());
return "register";
}
@RequestMapping(value = "/register", method=RequestMethod.POST)
public String register(@ModelAttribute Usuario usuario) {
return "redirect:/login";
}
}
I have tried add a Bean to the class above, like that:
@Bean
public UserDetailsService userDetailsService() {
return new UserDetailsService() { ... }
}
@Bean PasswordEncoder passwordEncoder() {
return new PasswordEncoder() { ... }
}
but this do not work. My guess is I need some way to configure them in the method WebSecurityCustomizer ignoringCustomizer() , but looking the documentation for the class WebSecurityCustomizer I do not see any way to do that.
Anyone can give any hints of how to do that?
UPDATE #1
Searching through the official site, I found some reference documentation and blog post telling the recommended way to do some actions close to what I need, but I am still struggling to get right.
First link, it's the reference page for the deprecated class WebSecurityConfigurerAdapter, where it's said to:
Use a SecurityFilterChain Bean to configure HttpSecurity or a WebSecurityCustomizer Bean to configure WebSecurity
HttpSecurity have a method to define a UserDetailsService Bean, but how I use it in my code?
The other link it's a blog post describing the old way to do some authentication tasks, and the new recommended way. The closest examples to what I want it's in the section about JDBC Authentication and In-Memory Authentication, and both of them are based on the use of a UseDetailsManager, if I am not wrong. I also tried add a new Bean like that:
@Bean
public UserDetailsManager userDetailsManager() {
return new UserDetailsManager() { ... }
}
but does not work. What's the right way to do override the beans I want now?
UPDATE 2
I currently have this code, which is still not working properly. with this configuration, I can register a new user (which is created in the database with success), but I cannot login with this user.
@SpringBootApplication
@Controller
public class App extends SpringBootServletInitializer {
@Autowired
UsuarioDao usuarioDao;
@Autowired
CredencialDao credencialDao;
public static void main(String[] args) {
SpringApplication.run(App.class, args);
}
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(App.class);
}
@Bean
public SpringSecurityDialect springSecurityDialect() {
return new SpringSecurityDialect();
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors().disable()
.authorizeRequests()
.antMatchers("/", "/login", "/logout", "/register", "/error", "/css/**", "/js/**", "/img/**").permitAll()
.anyRequest().authenticated()
.and()
.authenticationProvider(authProvider());
return http.build();
}
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setPasswordEncoder(passwordEncoder());
provider.setUserDetailsService(userDetailsService());
return provider;
}
@Bean
public UserDetailsService userDetailsService() {
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) {
System.out.println("loadUserByUsername: " + username);
return usuarioDao.findBy("username", username).get(0);
}
};
}
@Bean
public PasswordEncoder passwordEncoder() {
return new PasswordEncoder() {
@Override
public String encode(CharSequence rawPassword) {
try {
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(rawPassword.toString().getBytes());
byte[] digest = md.digest();
StringBuilder sb = new StringBuilder();
for(int i=0; i<digest.length; i++) sb.append(Integer.toString((digest[i] & 0xff) + 0x100, 16).substring(1));
return sb.toString();
} catch (Exception e) {
return null;
}
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return encodedPassword.equals(encode(rawPassword));
}
};
}
@RequestMapping(value = "/")
public String index(Model model) {
return "index";
}
@RequestMapping(value = "/login")
public String login(Model model) {
return "login";
}
@RequestMapping(value = "/register", method=RequestMethod.GET)
public String register(Model model) {
model.addAttribute("obj", new Usuario());
return "register";
}
@RequestMapping(value = "/register", method=RequestMethod.POST)
public String register(@ModelAttribute Usuario usuario) {
try {
usuario.setPassword(passwordEncoder().encode(usuario.getPassword()));
usuario.setCredenciais(new ArrayList<Credencial>());
usuario.getCredenciais().add(credencialDao.findBy("nome", "USER").get(0));
usuarioDao.insert(usuario);
return "login";
} catch (Exception e) {
e.printStackTrace();
return "register";
}
}
}
Solution
I think there could be several issues with your actual code.
First, due to the fact you are using form login, please, try providing the appropriate configuration when defining your filter chain, for example:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors().disable()
.authorizeHttpRequests()
.antMatchers("/", "/login", "/logout", "/register", "/error", "/css/**", "/js/**", "/img/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
// Note the inclusion of the login processing url value
.loginProcessingUrl("/authenticate")
// One that you consider appropriate
.defaultSuccessUrl("/home")
.failureUrl("/login?error=true")
.and().authenticationProvider(authProvider());
return http.build();
}
As you can see, we are indicating that the login page will be handled by your controller /login mapping:
@RequestMapping(value = "/login")
public String login(Model model) {
return "login";
}
In addition, we indicated /authenticate as the login processing url configuration: this will activate all the authentication stuff provided by you and Spring Security to authenticate your users.
Note that you need to change your login.html page as well, because in your current implementation the username/password form is being submitted as well against /login - this is probably the cause of the problem you described in your update #2. Following the example, the form should be submitted against /authenticate:
<!DOCTYPE html>
<html lang="pt-BR">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Login</title>
<linl rel="stylesheet" th:href="@{/css/style.css}"></linl>
</head>
<body>
<form method="post" th:action="@{/authenticate}">
<input type="text" name="username" placeholder="Usuário">
<input type="password" name="password" placeholder="Senha">
<input type="submit" value="Entrar">
</form>
<script th:src="@{/js/script.js}"></script>
</body>
</html>
Note that we included as well a route, /home to request your app after a successful authentication. Yu can define in App something like:
@RequestMapping(value = "/home")
public String home(Model model) {
return "home";
}
And a simple HTML test page, home.html:
<!DOCTYPE html>
<html lang="pt-BR">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
<link rel="stylesheet" th:href="@{/css/style.css}">
</head>
<body>
Authenticated!!
<script th:src="@{/js/script.js}"></script>
</body>
</html>
In order to make this work you should change an additional piece in your software. According to the way you defined your code, when Spring Security tries reading your Usuario GrantedAuthorities Hibernate will issue the well known failed to lazily initialize a collection of role... because in your current implementation you are reading the credentials stored in your database but there is no session:
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
List<Autorizacao> lista = new ArrayList<Autorizacao>();
for(Credencial credencial : credenciais) {
lista.addAll(credencial.getAutorizacoes());
}
return lista;
}
You can probably solve the issue in different ways, especially consider using @Transactional, but one straight forward solution could be the folllowing.
First, modify your Usuario object and include a transient property for storing the Spring Security granted credentials:
package org.kleber.app.model.usuario;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.ManyToMany;
import javax.persistence.Transient;
import org.kleber.app.model.credencial.Credencial;
import org.kleber.app.model.Model;
import org.kleber.app.model.autorizacao.Autorizacao;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
@Entity
public class Usuario extends Model implements UserDetails {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
Integer id;
@Column
String username;
@Column
String password;
@Column
String firstName;
@Column
String lastName;
@Column
String email;
@ManyToMany
List<Credencial> credenciais;
@Transient
Collection<? extends GrantedAuthority> authorities = Collections.emptySet();
public Integer getId() {
return id;
}
public void setId(Integer id) {
this.id = id;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getFirstName() {
return firstName;
}
public void setFirstName(String firstName) {
this.firstName = firstName;
}
public String getLastName() {
return lastName;
}
public void setLastName(String lastName) {
this.lastName = lastName;
}
public String getEmail() {
return email;
}
public void setEmail(String email) {
this.email = email;
}
public List<Credencial> getCredenciais() {
return credenciais;
}
public void setCredenciais(List<Credencial> credenciais) {
this.credenciais = credenciais;
}
public boolean isEnabled() {
return true;
}
public boolean isCredentialsNonExpired() {
return true;
}
public boolean isAccountNonExpired() {
return true;
}
public boolean isAccountNonLocked() {
return true;
}
public void setAuthorities(Collection<? extends GrantedAuthority> authorities) {
this.authorities = authorities;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return authorities;
}
}
Next, include a custom method in UsuarioDao in order to obtain the credentials when you have an active Session:
package org.kleber.app.model.usuario;
import java.util.ArrayList;
import java.util.List;
import javax.persistence.EntityManager;
import org.kleber.app.model.Dao;
import org.kleber.app.model.autorizacao.Autorizacao;
import org.kleber.app.model.credencial.Credencial;
import org.springframework.stereotype.Repository;
import org.springframework.transaction.annotation.Transactional;
@Repository
public class UsuarioDao extends Dao<Usuario> {
UsuarioDao() {
super(Usuario.class);
}
public Usuario findByUsername(String username) {
EntityManager entityManager = getEntityManager();
entityManager.getTransaction().begin();
Usuario usuario = (Usuario) entityManager.createQuery("SELECT a FROM Usuario a WHERE a.username = :value").setParameter("value", username).getSingleResult();
// Retrieve the credentials here
// On the contrary, you will face: failed to lazily initialize a collection of role...
// Please consider using @Transactional instead
List<Credencial> credenciais = usuario.getCredenciais();
List<Autorizacao> autorizacaos = new ArrayList<Autorizacao>();
for(Credencial credencial : credenciais) {
autorizacaos.addAll(credencial.getAutorizacoes());
}
usuario.setAuthorities(autorizacaos);
entityManager.getTransaction().commit();
entityManager.close();
return usuario;
}
}
Please, as I mentioned, consider use @Transactional and Spring built-in transaction demarcation mechanisms instead of handling your transactions on your own in this way.
Finally, user this new method in your UserDetailsService implementation:
@Bean
public UserDetailsService userDetailsService() {
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) {
System.out.println("loadUserByUsername: " + username);
return usuarioDao.findByUsername(username);
}
};
}
Instead of creating this new method in UsuarioDao another, perhaps better, possibility would be creating a UserService @Service that wrap this Usuario and Credentials initialization process: this service would be then the one used by your UserDetailsService implementation.
For completeness, this is how the App class would end looking like:
package org.kleber.app;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.context.annotation.Bean;
import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.password.PasswordEncoder;
import java.security.MessageDigest;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.ui.Model;
import java.util.ArrayList;
import org.springframework.beans.factory.annotation.Autowired;
import org.kleber.app.model.usuario.UsuarioDao;
import org.kleber.app.model.credencial.CredencialDao;
import org.kleber.app.model.usuario.Usuario;
import org.kleber.app.model.credencial.Credencial;
@SpringBootApplication
@Controller
public class App extends SpringBootServletInitializer {
@Autowired
UsuarioDao usuarioDao;
@Autowired
CredencialDao credencialDao;
public static void main(String[] args) {
SpringApplication.run(App.class, args);
}
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(App.class);
}
@Bean
public SpringSecurityDialect springSecurityDialect() {
return new SpringSecurityDialect();
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors().disable()
.authorizeHttpRequests()
.antMatchers("/", "/login", "/logout", "/register", "/error", "/css/**", "/js/**", "/img/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/authenticate")
.defaultSuccessUrl("/home")
.failureUrl("/login?error=true")
.and().authenticationProvider(authProvider());
return http.build();
}
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setPasswordEncoder(passwordEncoder());
provider.setUserDetailsService(userDetailsService());
return provider;
}
@Bean
public UserDetailsService userDetailsService() {
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) {
System.out.println("loadUserByUsername: " + username);
return usuarioDao.findByUsername(username);
}
};
}
@Bean
public PasswordEncoder passwordEncoder() {
return new PasswordEncoder() {
@Override
public String encode(CharSequence rawPassword) {
try {
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(rawPassword.toString().getBytes());
byte[] digest = md.digest();
StringBuilder sb = new StringBuilder();
for (int i = 0; i < digest.length; i++)
sb.append(Integer.toString((digest[i] & 0xff) + 0x100, 16).substring(1));
return sb.toString();
} catch (Exception e) {
return null;
}
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return encodedPassword.equals(encode(rawPassword));
}
};
}
@RequestMapping(value = "/")
public String index(Model model) {
return "index";
}
@RequestMapping(value = "/home")
public String home(Model model) {
return "home";
}
@RequestMapping(value = "/login")
public String login(Model model) {
return "login";
}
@RequestMapping(value = "/register", method = RequestMethod.GET)
public String register(Model model) {
model.addAttribute("obj", new Usuario());
return "register";
}
@RequestMapping(value = "/register", method = RequestMethod.POST)
public String register(@ModelAttribute Usuario usuario) {
try {
usuario.setPassword(passwordEncoder().encode(usuario.getPassword()));
usuario.setCredenciais(new ArrayList<Credencial>());
usuario.getCredenciais().add(credencialDao.findBy("nome", "USER").get(0));
usuarioDao.insert(usuario);
return "login";
} catch (Exception e) {
e.printStackTrace();
return "register";
}
}
}
Probably it could be improved in different ways, but the suggested setup should allow you to successfully access your app:
- Spring Properties Decryption
- How to replace a @MockBean?
- Cant compile spring boot on java 1.8
- Unable to autowire the MapStruct mapper
- MissingDependencyException: No mapping found for dependency [type=java.lang.String, name='struts.objectFactory.spring.autoWire.alwaysRespect']
- Spring Security Virtual Threads and ThreadLocal
- AnnotationConfigurationException since upgrade to Spring Boot 3/JDK 17
- No type attribute provided for component property in log4j2 with Spring Boot
- Generating JWT token with JwtUtil class in Spring Boot resulting in NullPointerException
- Spring Boot JSP 404
- Facing the error "entityManagerFactory" while creating the demo spring boot application
- Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Handler dispatch failed;
- No qualifying bean of type 'com...' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}
- Spring JdbcTemplate / NamedParameterJdbcTemplate passing null value as a parameter value
- Jackson fails due FAIL_ON_TRAILING_TOKENS but feature is disabled
- Spring Boot default H2 jdbc connection (and H2 console)
- How to post error messages to the HTML from in Struts 2?
- Spring rabbitmq testing - RabbitListenerTestHarness doesn't find any listener
- Still receiving 403 error after Spring Security login
- Using ssl certificate with feign
- How to make an annotation that calls other annotations
- How to use Hibernate reverse engineering to create annotatedClasses style?
- 415 unsupported media type angular spring boot POST PUT http methods
- MapStruct - @Mapper annotation don't create bean
- How can I correct include path for webjars?
- Spring mvc + Spring Jpa + tyhmleaf StackOverflowError
- spring-ws: no endpoint mapping found
- Spring boot with Spring data JPA: could not extract ResultSet
- How to display images and link CSS files to JSP pages
- Implements tri angluar table structure in JDBC