A while back I started working on a web application with, at the time, all new java technologies. Once the web application needed an authentication framework I turned to acegi (now part of Spring Security API). Acegi security provides much of the authentication features a developer requires in a web application including: remember me, failed login handling, public content access and so on. Other technologies I used where Struts2, Spring and Hibernate.
Since I was using hibernate and spring daos I thought it best that I store my user names and passwords in the database via the same mechanism. That is, I needed to use Acegi for authentication and Hibernate and Spring for managing the user detail persistence layer. After searching a few forums it turned out that many people wanted to do the same, but no one was providing a solution. Proceeding with a brief brainstorm session and research into the acegi API I came up with my own UserDetailsService implementation backed by hibernate and spring. Its simple but it provides me with what I need and I hope it will be a helpful reference for others as well.
Source Code
The code used for the implementation is packaged as auth.jar with class and source files for your reference. Please do with it as you like (BSD license). The contents of the archive are described below:
net.shornepla.auth
- Authority.java - a userw authority (i.e. USER_ROLE) Implements UserDetails
- User.java - a user, having user name and password. Implements GrantedAuthority
- UserDetailProvider.java - Uses hibernate to provide the user details service. Implements UserDetailsService
- model.hbm.xml - Hibernate model description for User and Authority
Together these small classes provide the groundwork for our authentication layer. Next, the hard part is dealing with all of the Acegi spring configuration.
ApplicationContext.xml
Acegi is loaded via two spring application context xml files. This first one is pretty basic, first it initialises my hibernate authentication implementation. Next it initialises the authentication provider.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans default-autowire="autodetect">
<!-- Load the hibernate model for authentication -->
<bean id="sessionFactory"
class="org.springframework.orm.hibernate3.LocalSessionFactoryBean" >
<property name="mappingResources">
<list>
<value>net/shornepla/auth/model.hbm.xml</value>
</list>
</property>
</bean>
<!-- The hibernate backed implementation for UserDetailService -->
<bean id="userDetailProvider"
class="net.shornepla.auth.UserDetailProvider" >
<property name="sessionFactory" ref="sessionFactory" />
</bean>
<!-- Just use MD5 password hashing -->
<bean id="passwordEncoder"
class="org.acegisecurity.providers.encoding.Md5PasswordEncoder" />
<!-- Tie together with the DaoAuthenticationProvider -->
<bean id="daoAuthenticationProvider"
class="org.acegisecurity.providers.dao.DaoAuthenticationProvider" >
<property name="userDetailsService">
<ref local="userDetailProvider"/>
</property>
<property name="passwordEncoder">
<ref local="passwordEncoder"/>
</property>
</bean>
</beans>applicationContext-acegi-security.xml
The second application context config is applicationContext-acegi-security.xml. This is mostly copied directly out of the acegi example and simplified as much as possible.
The main beans here are:
- authenticationManager - uses the above defined daoAuthenticationProvider
- filterInvocationInterceptor - specifies which roles have access to what
- authenticationProcessingFilter - specifies which pages are used for authentication
All together, these resources will probably not work for you as they require a web application to be deployed. However, the pieces I provide should make integration into your application as simple as possible. If there are any issues or suggestions please let me know.