Spring Security: Create Users

StackOverflow https://stackoverflow.com/questions/23485713

Question

I am using spring-web(4.0.3.RELEASE) along with spring-security-web(3.2.3.RELEASE) in an app. My goal is to automatically create some users when my application starts up. However, when I add the users using the "security:user..." tag, it either doesn't create the users, or it complains that 

Configuration problem: authentication-provider element cannot have 
child elements when used with 'ref' attribute

As of now, my security-config.xml file looks like so.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:context="http://www.springframework.org/schema/context"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:security="http://www.springframework.org/schema/security"
   xmlns:jpa="http://www.springframework.org/schema/data/jpa"
   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<security:http auto-config='true'>
    <security:intercept-url pattern="/messagebroker/amf" access="ROLE_USER" />
    <security:intercept-url pattern="/login.json" access="ROLE_ANONYMOUS" />
</security:http>
<jpa:repositories base-package="com.thing.orlando.repositories" />

 <!--authentication manager and password hashing-->
<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="daoAuthenticationProvider">
        <security:user-service>
            <security:user name="admin" password="password" authorities="ROLE_USER, ROLE_ADMIN" />
            <security:user name="user" password="password" authorities="ROLE_USER" />
        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>

<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="userDetailsService"/>
    <property name="saltSource">
        <bean class="org.springframework.security.authentication.dao.ReflectionSaltSource">
            <property name="userPropertyToUse" value="email"/>
        </bean>
    </property>
    <property name="passwordEncoder" ref="passwordEncoder"/>
</bean>

<bean id="userDetailsService"  name="userAuthenticationProvider"
      class="com.dallas.orlando.services.CustomUserDetailsService"/>
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
    <constructor-arg index="0" value="256"/>
</bean>

I was wondering what is the accepted way to create users and populate my db.

Was it helpful?

Solution

Change to this:

<!--authentication manager and password hashing-->
<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="daoAuthenticationProvider"/>
    <security:authentication-provider    
        <security:user-service>
            <security:user name="admin" password="password" authorities="ROLE_USER, ROLE_ADMIN" />
            <security:user name="user" password="password" authorities="ROLE_USER" />
        </security:user-service>
</security:authentication-manager>

You need to specify your daoAuthenticationProvider as a separate authentication provider to your user-service authentication provider, because they should be providing two different methods of dealing with an authentication attempt.

Your daoAuthenticationProvider will do your own custom thing to determine whether to authenticate a login attempt, and the user-service will successfully authenticate the two users you gave it.

To answer your question: Create users using an SQL script when the application starts. You can use the SQL scripts like this: 

<jdbc:initialize-database>
    <jdbc:script location="script.location.sql"/>
</jdbc:initialize-database>

You can list as many script files as you like.

If you want to add support for encrypted passwords use the BCrypt password encoder like this:

<beans:bean id="passwordEncoder"
    class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

You can autowire this bean into your daoAuthenticationProvider and use it to check if the password input matches what's stored in the database. You can also just hardcode the password for any users you create in a script to just be the hashed version of 'asdf123' if you like. Its up to you in the end.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top