18083

Authenticating users with Spring security against two user-services

Question:

I am very new to Spring security and my problem is as follows:

I have a <strong>member</strong> mysql table that contains information about the website's members, including their usernames, passwords and roles. So far so good: I can use this table to configure a <jdbc-user-service.

However I also want to have a super user that is not going to be in the <strong>member</strong> table.

<ol><li>Is it possible and recommended to have this super-user in an in-memory user repository and therefore mix jdbc user service with in-memory user service? If so how?</li> <li>If <strong>1.</strong> is not possible perhaps I can have a second mysql table called for instance <strong>moderator</strong>. Then what sort of sql query would I need to authenticate against these two tables?</li> </ol>

Answer1:

Collissions

The problem with multiple repositories is that you need to ensure that you differentiate which user is which. For example assume your data looks like the following

<strong>member table</strong>

username ---------------------- member

<strong>moderator table</strong>

username ---------------------- moderator

Then you have some data associated to your users

<strong>data table</strong>

username value ---------------------------------------- moderator secret

What now happens if you get a collision? For example, a user signs up and your member table now looks like this:

<strong>member table</strong>

username ---------------------- member moderator

Which moderator owns the data? There is no way to distinguish between the two users.

Alternative Approach

The alternative approach would be to use a mapping of users to roles. It would be to use something like this:

<strong>member table</strong>

username is_moderator ---------------------- member false moderator true

Then when a user tries to sign up for with an existing username, there is a constraint violation so you do not need to differentiate between the two. Of course you could map the roles using another table. This is what Spring Security does normally using the <a href="http://static.springsource.org/spring-security/site/docs/3.1.x/reference/appendix-schema.html" rel="nofollow">authorities</a> table.

Using multiple UserDetailsService

If you really want to use multiple user repositories anyways, you can simply declare multiple UserDetailsService entries in your configuration. An in memory configuration example is shown below:

<authentication-manager> <authentication-provider> <jdbc-user-service .. /> </authentication-provider> <authentication-provider> <user-service> <user username="moderator" password="password" authorities="ROLE_MODERATOR"/> </user-service> </authentication-provider> </authentication-manager>

If you want to do both in the database, you need to determine what your SQL queries for each table are and then add two elements. For example:

<authentication-manager> <authentication-provider> <jdbc-user-service .. /> </authentication-provider> <authentication-provider> <jdbc-user-service .. /> </authentication-provider> </authentication-manager>

Use the attributes to control your sql queries. You can refer to the <a href="http://static.springsource.org/spring-security/site/docs/3.1.x/reference/appendix-namespace.html#nsa-jdbc-user-service" rel="nofollow">Spring Security appendix</a> for example queries.

Recommend

  • fail to use session in php
  • Headless browser that support Geolocation
  • What is the current status of the WebCL implementation on major browsers?
  • Ember, hasMany and belongsTo doesn't work
  • rename javascript object in order to use a php array
  • Boost Spirit Qi Attribute Propagation
  • Office365 authentication without login redirection
  • C++ development on linux Code::Blocks, EMACS or GVIM [closed]
  • ASP.NET windows authentication should always ask for credentials
  • Authentication failed with Azure Active Directory in Windows Phone
  • How to use Windows Media Foundation with UWP without a topology
  • Prevent Tomcat from caching request during starup
  • Jquery Knockout: ko.computed() vs classic function?
  • Bigquery event streaming and table creation
  • Ember.js model to be organised as a tree structure
  • pyodbc doesn't report sql server error
  • htaccess add www if not subdomain, if subdomain remove www
  • How can I sort a a table with VBA with given text condition?
  • Xcode 4 NSLog Macro link in Xcode 3
  • Make VS2015 use angular-cli ng at build time in a .NET project
  • Can you perform a UNION without a subquery in SQLAlchemy?
  • JSON response opens as a file, but I can't access it with JavaScript
  • Is it possible to access block's scope in method?
  • PostgreSQL Query without WHERE only ORDER BY and LIMIT doesn't use index
  • Meteor: Do Something On Email Verification Confirmation
  • Google Custom Search with transparent background
  • Linq Objects Group By & Sum
  • PHPUnit_Framework_TestCase class is not available. Fix… - Makegood , Eclipse
  • PHP - How to update data to MySQL when click a radio button
  • Counter field in MS Access, how to generate?
  • Accessing IRQ description array within a module and displaying action names
  • script to move all files from one location to another location
  • Display Images one by one with next and previous functionality
  • Large data - storage and query
  • Why winpcap requires both .lib and .dll to run?
  • SQL merge duplicate rows and join values that are different
  • How to set the response of a form post action to a iframe source?
  • Are Kotlin's Float, Int etc optimised to built-in types in the JVM? [duplicate]
  • unknown Exception android
  • Does armcc optimizes non-volatile variables with -O0?