Change to this:
<!--authentication manager and password hashing-->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="daoAuthenticationProvider"/>
<security:authentication-provider
<security:user-service>
<security:user name="admin" password="password" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="user" password="password" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-manager>
You need to specify your daoAuthenticationProvider
as a separate authentication provider to your user-service
authentication provider, because they should be providing two different methods of dealing with an authentication attempt.
Your daoAuthenticationProvider
will do your own custom thing to determine whether to authenticate a login attempt, and the user-service
will successfully authenticate the two users you gave it.
To answer your question: Create users using an SQL script when the application starts. You can use the SQL scripts like this:
<jdbc:initialize-database>
<jdbc:script location="script.location.sql"/>
</jdbc:initialize-database>
You can list as many script files as you like.
If you want to add support for encrypted passwords use the BCrypt password encoder like this:
<beans:bean id="passwordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
You can autowire this bean into your daoAuthenticationProvider
and use it to check if the password input matches what's stored in the database. You can also just hardcode the password for any users you create in a script to just be the hashed version of 'asdf123' if you like. Its up to you in the end.