Question

I'm currently using the spring-security libraries and I asked myself the following question: How should I combine my database model with the spring-security tables?

As you know spring-security needs two tables (users and authorities) to define an authentication manager in the database. From my pov there are now two possibilities where I store my additional user-information (like email, lastname, last-logged-on, ....)

  1. I could have a plain user-table for authentication purposes and another one for the rest (linked by the username)

  2. I extend the user-table of spring-security with my necessary attributes.

What is the best design from your perspective? What are your experiences?

Lomu

Was it helpful?

Solution

I created a POJO User which represents the User entity as conceived by the Spring Security library, and secondly I created a POJO ProfiledUser to represent a specialized type of user of my application. It is called ProfiledUser because I needed a user associated to a profile. Of course, a similar approach can be applyied for every type of user you need to represent. Basically, if you need more than one type of user you can make your classes to extend the User POJO. In the following you find the class, with the JPA annotations.

@Entity
@Table(name="USERS")
@Inheritance(strategy=InheritanceType.JOINED)
public class User implements UserDetails {

    private static final long serialVersionUID = 1L;
    private long id;
    private String username;
    private String password;
    private boolean enabled = true;
    Set<Authority> authorities = new HashSet<Authority>();  
    //...getters & setters
    }

@Entity
@Table(name="PROFILED_USERS")
public class ProfiledUser extends User{

    private static final long serialVersionUID = 1L;
    //some custom attributes
    private PersonalData personalData;
    private ContactData contactData;
    private AddressData addressData;
    //...getters & setters

    }

If you need to represent only one type of user, I think it should work to add attributes to the User class. However, I prefer to separate the abstract concept of user defined by the Spring Security framework from my business logic. So I'd recommend to implement your own SomethingUser and extend the User class.

OTHER TIPS

A person is a person and you should have a class/table representing a person†.

A user is a user, and is different from a person (hence the two different words), and you should have a class/table representing a user.

Can a person exist without a user? Yes

Can a user exist without a person? No, a username belongs to someone.

@Entity
abstract class Party {

  @Id
  Long id;

  String name;

  @OneToMany
  List<User> usernames = new ArrayList<>();
}

@Entity
class Individual extends Party {
  DateTime dateOfBirth;
}

@Entity
class User {

  @ManyToOne
  Party party;

  String username;

  String password; //you better use BCrypt/Blowfish hashing!

  Boolean enabled = true;
}

You could instead use a @OneToOne relationship if you only want one username per party.

† Actually you should have a more abstract class/table representing a legal party.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top