Reputation: 4147
Spring Security: Create Users
I am using spring-web(4.0.3.RELEASE) along with spring-security-web(3.2.3.RELEASE) in an app. My goal is to automatically create some users when my application starts up. However, when I add the users using the "security:user..." tag, it either doesn't create the users, or it complains that
Configuration problem: authentication-provider element cannot have
child elements when used with 'ref' attribute
As of now, my security-config.xml file looks like so.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:jpa="http://www.springframework.org/schema/data/jpa"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<security:http auto-config='true'>
<security:intercept-url pattern="/messagebroker/amf" access="ROLE_USER" />
<security:intercept-url pattern="/login.json" access="ROLE_ANONYMOUS" />
</security:http>
<jpa:repositories base-package="com.thing.orlando.repositories" />
<!--authentication manager and password hashing-->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="daoAuthenticationProvider">
<security:user-service>
<security:user name="admin" password="password" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="user" password="password" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService"/>
<property name="saltSource">
<bean class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<property name="userPropertyToUse" value="email"/>
</bean>
</property>
<property name="passwordEncoder" ref="passwordEncoder"/>
</bean>
<bean id="userDetailsService" name="userAuthenticationProvider"
class="com.dallas.orlando.services.CustomUserDetailsService"/>
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
<constructor-arg index="0" value="256"/>
</bean>
I was wondering what is the accepted way to create users and populate my db.
Upvotes: 0
Views: 2001
Answers (1)
Reputation: 6540
Change to this:
<!--authentication manager and password hashing-->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="daoAuthenticationProvider"/>
<security:authentication-provider
<security:user-service>
<security:user name="admin" password="password" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="user" password="password" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-manager>
You need to specify your daoAuthenticationProvider as a separate authentication provider to your user-service authentication provider, because they should be providing two different methods of dealing with an authentication attempt.
Your daoAuthenticationProvider will do your own custom thing to determine whether to authenticate a login attempt, and the user-service will successfully authenticate the two users you gave it.
To answer your question: Create users using an SQL script when the application starts. You can use the SQL scripts like this:
<jdbc:initialize-database>
<jdbc:script location="script.location.sql"/>
</jdbc:initialize-database>
You can list as many script files as you like.
If you want to add support for encrypted passwords use the BCrypt password encoder like this:
<beans:bean id="passwordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
You can autowire this bean into your daoAuthenticationProvider and use it to check if the password input matches what's stored in the database. You can also just hardcode the password for any users you create in a script to just be the hashed version of 'asdf123' if you like. Its up to you in the end.
Upvotes: 2
Related Questions
- Spring Security/Spring Boot - How to set ROLES for users
- auth Spring security java configuration
- spring security defining user registration with ROLE_USER
- Spring Security Java configuration for authenticated users with a role
- Spring Security User Information
- How to intergrate user registration form with spring security
- Adding users to spring 3 security
- SpringMVC 3 Spring Security Creating User Login
- Spring Security User
- Adding new users in Spring Security