How to handle password change when using Spring Security

Question

I was surprised how little I found searching on this subject. I'm using Spring Security to allow users to log into Spring MVC app. I'm also using Hibernate in service layer to persist changes to db (I keep user info in the same db I use for the rest of the app). How can I, in this environment (using advantages of Spring Security), make it possible for user to change his own password?

This is my spring-security.xml:

    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/essays/auth/login" access="permitAll"/>
        <intercept-url pattern="/essays/auth/logout" access="permitAll"/>
        <intercept-url pattern="/essays/auth/denied" access="hasRole('ROLE_USER')"/>
        <intercept-url pattern="/" access="hasRole('ROLE_USER')"/>
        /* more intercept urls */

        <form-login login-page="/essays/auth/login"
                    authentication-failure-url="/essays/auth/login?error=true"
                    default-target-url="/essays/main/student/search"
                    always-use-default-target="true"/>

        <access-denied-handler error-page="/essays/auth/denied"/>

        <logout invalidate-session="true"
                logout-success-url="/essays/auth/login"
                logout-url="/essays/auth/logout"/>
    </http>

    <authentication-manager>
        <authentication-provider user-service-ref="customUserDetailsService">
            <password-encoder hash="md5"/>
        </authentication-provider>
    </authentication-manager>

I implemented custom user details service:

@Service
@Transactional(readOnly = true)
public class CustomUserDetailsService implements UserDetailsService {

    @Resource
    private UserService userService;

    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        try {
            org.jana.domain.User domainUser = userService.getByUsername(username);
            boolean enabled = true;
            boolean accountNonExpired = true;
            boolean credentialsNonExpired = true;
            boolean accountNonLocked = true;
            return new User(
                    domainUser.getUsername(),
                    domainUser.getPassword().toLowerCase(),
                    enabled,
                    accountNonExpired,
                    credentialsNonExpired,
                    accountNonLocked,
                    getAuthorities(domainUser.getRole().getRole()));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
...

And this is the service that deals with Hibernate:

@Service("userService")
@Transactional
public class UserService {

    @Resource(name="sessionFactory")
    private SessionFactory sessionFactory;

    public User getByUsername(String username) {

        Session session = sessionFactory.getCurrentSession();

        String hql = "FROM User u WHERE u.username = :username";
        Query query = session.createQuery(hql);
        query.setParameter("username", username);
        User user = (User)query.uniqueResult();

        return user;
    }

I'm new to this so any help will be much appreciated. Thank you.

Answer 1

I handle password modification like the modification of any other entity field.

In this situation you can create an update form for an hipotetic user object. When you save your user entity in the db you may need to save the hashed password, handle salt etc. But this is not a spring security job.