Spring Boot Form Login Custom UserDetailsService authorisation not working
Question
I am a beginner at Spring Boot and really struggling to get this. I am not finding Spring boot's security API very intuitive at all, but I'm trying to get it.
I am going to use MySql with JPA to get Users from the Database, But initially just to ensure that the security scaffolding works, I am just hard coding a User From Employee Details Service.
After a lot of trouble, I have managed to get the basic Authentication to work, but the Authorisation is not working. I have edited the question to reflect the basic issue:
I am aware that there are other questions out there before people mark this as duplicate, I have gone through all of them, they all respond with basic answers that I think are already working in my app.
At the end /home path is for home method, /mama path is for role mama
Here is the code:
//AppSecurityConfig.java
package com.straightwalls.absencemanagement.config;
import com.straightwalls.absencemanagement.service.EmployeeDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import
org.springframework.security.config
.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import
org.springframework.security.config
.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
@EnableWebSecurity
public class AppSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
protected void configure(HttpSecurity http) throws Exception {
//Disabled for development
http.authorizeRequests()
.antMatchers("/mama").hasRole("MAMA")
.antMatchers("/home").hasAnyRole("ROLE_HEAD", "ROLE_MAMA")
.and()
.formLogin();
}
@Bean
/*
* Returning no op password encoder for now,
* as we are not encoding passwords as no registration
* implemented for Prototype. We would need to add the users from a separate service. W
*
* */
public PasswordEncoder getPasswordEncoder(){
return NoOpPasswordEncoder.getInstance();
}
}
//EmployeeDetailsService
package com.straightwalls.absencemanagement.service;
import com.straightwalls.absencemanagement.model.Employee;
import com.straightwalls.absencemanagement.model.Role;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
import org.springframework.stereotype.Service;
@Service
public class EmployeeDetailsService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
if (!username.equals("Mama")){
throw new UsernameNotFoundException(
"You got the wrong Username, should be mama"
);
}
Employee employee = new Employee();
Role role = new Role();
role.setName("HEAD");
employee
.setUsername(username)
.setPassword("1234")
.setRole(role);
return new EmployeePrincipal(employee);
}
}
//EmployeePrincipal.java
package com.straightwalls.absencemanagement.service;
import com.straightwalls.absencemanagement.model.Employee;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.Arrays;
import java.util.Collection;
public class EmployeePrincipal implements UserDetails {
private Employee employee;
//Added another default Constructor, incase
public EmployeePrincipal(){
}
public EmployeePrincipal(Employee employee){
this.employee = employee;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return Arrays.asList(new SimpleGrantedAuthority("ROLE_HEAD"));
//return Arrays.asList(new SimpleGrantedAuthority("ROLE_" + employee.getRole().getName()));
}
@Override
public String getPassword() {
return employee.getPassword();
}
@Override
public String getUsername() {
return employee.getUsername();
}
/*
* Methods below are the rubbish methods, we keep as true for now
*
* */
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
//Login.java
package com.straightwalls.absencemanagement.api;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class LoginApi {
@RequestMapping("/")
public String index(){
return "Straight Walls absence management!";
}
@RequestMapping("/home")
public String home(){
return "Welcome to Home!";
}
/**
* This method can be deleted in the end
*
*/
@RequestMapping("/mama")
public String roleTest(){
return "This end point is only for Mama!";
}
}
//Employee.java
package com.straightwalls.absencemanagement.model;
import org.hibernate.annotations.Fetch;
import javax.persistence.*;
import java.time.LocalDate;
import java.time.format.DateTimeFormatter;
@Entity
public class Employee {
@Id
private long id;
private String firstName;
private String lastName;
private String username;
private String password;
private String startDate;
@ManyToOne
@JoinColumn(name = "roleId", referencedColumnName = "id")
private Role role;
@ManyToOne
@JoinColumn(name = "departmentId", referencedColumnName = "id")
private Department department;
public Employee(){
}
public long getId() {
return id;
}
public Employee setId(long id) {
this.id = id;
return this;
}
public String getFirstName() {
return firstName;
}
public Employee setFirstName(String firstName) {
this.firstName = firstName;
return this;
}
public String getLastName() {
return lastName;
}
public Employee setLastName(String lastName) {
this.lastName = lastName;
return this;
}
public String getUsername() {
return username;
}
public Employee setUsername(String username) {
this.username = username;
return this;
}
public String getPassword() {
return password;
}
public Employee setPassword(String password) {
this.password = password;
return this;
}
public String getStartDate() {
return startDate;
}
public Employee setStartDate(LocalDate startDate) {
this.startDate =
startDate.format(DateTimeFormatter.ISO_LOCAL_DATE);
return this;
}
public Role getRole() {
return role;
}
public Employee setRole(Role role) {
this.role = role;
return this;
}
public Department getDepartment() {
return department;
}
public Employee setDepartment(Department department) {
this.department = department;
return this;
}
}
Server Logs: 2021-04-21 07:42:12.151 INFO 10370 --- [ restartedMain] traightWallsAbsenceManagementApplication: Starting StraightWallsAbsenceManagementApplication using Java 16 on Peshotans-MacBook-Air.local with PID 10370 (/Users/peshotanpavri/java/IdeaProjects/StraightWallsAbsenceManagement/target/classes started by peshotanpavri in /Users/peshotanpavri/java/IdeaProjects/StraightWallsAbsenceManagement) 2021-04-21 07:42:12.154 INFO 10370 --- [ restartedMain] traightWallsAbsenceManagementApplication: No active profile set, falling back to default profiles: default 2021-04-21 07:42:12.254 INFO 10370 --- [ restartedMain].e.DevToolsPropertyDefaultsPostProcessor: Devtools property defaults active. Set 'spring.devtools:add-properties' to 'false' to disable 2021-04-21 07:42.12.255 INFO 10370 --- [ restartedMain].e:DevToolsPropertyDefaultsPostProcessor. For additional web related logging consider setting the 'logging.level:web' property to 'DEBUG' 2021-04-21 07:42.14.065 INFO 10370 --- [ restartedMain].sdr.c:RepositoryConfigurationDelegate. Bootstrapping Spring Data JPA repositories in DEFAULT mode: 2021-04-21 07:42.14.203 INFO 10370 --- [ restartedMain].sdr.c:RepositoryConfigurationDelegate. Finished Spring Data repository scanning in 113 ms. Found 1 JPA repository interfaces: 2021-04-21 07:42.15.235 INFO 10370 --- [ restartedMain] osbwembedded.tomcat:TomcatWebServer: Tomcat initialized with port(s): 8080 (http) 2021-04-21 07:42.15.253 INFO 10370 --- [ restartedMain] o.apache.catalina.core:StandardService: Starting service [Tomcat] 2021-04-21 07:42.15.253 INFO 10370 --- [ restartedMain] org.apache.catalina.core:StandardEngine: Starting Servlet engine. [Apache Tomcat/9.0:45] 2021-04-21 07:42.15.404 INFO 10370 --- [ restartedMain] oac.c.C.[Tomcat].[localhost]:[/]: Initializing Spring embedded WebApplicationContext 2021-04-21 07:42.15.405 INFO 10370 --- [ restartedMain] wsc:ServletWebServerApplicationContext: Root WebApplicationContext: initialization completed in 3147 ms 2021-04-21 07:42.15.642 INFO 10370 --- [ restartedMain] com.zaxxer.hikari:HikariDataSource. HikariPool-1 - Starting..: 2021-04-21 07:42.16.670 INFO 10370 --- [ restartedMain] com.zaxxer.hikari:HikariDataSource. HikariPool-1 - Start completed: 2021-04-21 07:42.16.743 INFO 10370 --- [ restartedMain] o.hibernate.jpa.internal.util:LogHelper: HHH000204: Processing PersistenceUnitInfo [name: default] 2021-04-21 07:42.16.859 INFO 10370 --- [ restartedMain] org.hibernate:Version: HHH000412. Hibernate ORM core version 5.4.30:Final 2021-04-21 07:42.17.121 INFO 10370 --- [ restartedMain] o.hibernate.annotations.common:Version: HCANN000001. Hibernate Commons Annotations {5.1.2:Final} 2021-04-21 07:42.17.327 INFO 10370 --- [ restartedMain] org.hibernate.dialect:Dialect: HHH000400: Using dialect. org.hibernate.dialect:MySQL8Dialect 2021-04-21 07:42.18.359 INFO 10370 --- [ restartedMain] ohetjpi:JtaPlatformInitiator: HHH000490: Using JtaPlatform implementation. [org.hibernate.engine.transaction.jta.platform.internal:NoJtaPlatform] 2021-04-21 07:42.18.383 INFO 10370 --- [ restartedMain] j:LocalContainerEntityManagerFactoryBean: Initialized JPA EntityManagerFactory for persistence unit 'default' 2021-04-21 07:42.18:458 WARN 10370 --- [ restartedMain] JpaBaseConfiguration$JpaWebConfiguration. spring.jpa.open-in-view is enabled by default, Therefore. database queries may be performed during view rendering. Explicitly configure spring.jpa:open-in-view to disable this warning 2021-04-21 07:42.18.737 INFO 10370 --- [ restartedMain] ossweb:DefaultSecurityFilterChain. Will secure any request with [org.springframework.security.web.context.request.async,WebAsyncManagerIntegrationFilter@7e4d562b. org.springframework.security.web.context,SecurityContextPersistenceFilter@657e3908. org.springframework.security.web.header,HeaderWriterFilter@484dbda9. org.springframework.security.web.csrf,CsrfFilter@358c0253. org.springframework.security.web.authentication.logout,LogoutFilter@4596a3b. org.springframework.security.web.authentication,UsernamePasswordAuthenticationFilter@6dceb9b9. org.springframework.security.web.authentication.ui,DefaultLoginPageGeneratingFilter@697f408b. org.springframework.security.web.authentication.ui,DefaultLogoutPageGeneratingFilter@6a227727. org.springframework.security.web.authentication.www,BasicAuthenticationFilter@166853dc. org.springframework.security.web.savedrequest,RequestCacheAwareFilter@185f798b. org.springframework.security.web.servletapi,SecurityContextHolderAwareRequestFilter@7f7692e4. org.springframework.security.web.authentication,AnonymousAuthenticationFilter@5406fd30. org.springframework.security.web.session,SessionManagementFilter@66387082. org.springframework.security.web.access,ExceptionTranslationFilter@44bb34bf. org.springframework.security.web.access.intercept:FilterSecurityInterceptor@768269d7] 2021-04-21 07:42.18.981 INFO 10370 --- [ restartedMain] ossconcurrent:ThreadPoolTaskExecutor: Initializing ExecutorService 'applicationTaskExecutor' 2021-04-21 07:42.19.784 INFO 10370 --- [ restartedMain] osbda:OptionalLiveReloadServer: LiveReload server is running on port 35729 2021-04-21 07:42.19.835 INFO 10370 --- [ restartedMain] osbwembedded.tomcat:TomcatWebServer: Tomcat started on port(s): 8080 (http) with context path '' 2021-04-21 07:42.19:851 INFO 10370 --- [ restartedMain] traightWallsAbsenceManagementApplication. Started StraightWallsAbsenceManagementApplication in 8.486 seconds (JVM running for 10:642) 2021-04-21 07:42.45.273 INFO 10370 --- [nio-8080-exec-1] oac.c.C.[Tomcat].[localhost]:[/]: Initializing Spring DispatcherServlet 'dispatcherServlet' 2021-04-21 07:42.45.275 INFO 10370 --- [nio-8080-exec-1] osweb.servlet:DispatcherServlet: Initializing Servlet 'dispatcherServlet' 2021-04-21 07:42.45.300 INFO 10370 --- [nio-8080-exec-1] osweb.servlet:DispatcherServlet : Completed initialization in 24 ms
I am logging in with a dummy role HEAD. So I should be able to access: /, /home but not /mama I cant access /home, even though the role has been properly defined
In my base package, I have the following packages: config: With this config file, model: All entities api: Controllers repository: Repositories (Not used yet) service: Where I have EmployeeDetailsService & EmployeeDetails class
Any advice would be greatly appreciated as I am expecting this to work, but its just not throwing any errors and just constantly saying bad credentials even though I have put the username Mama and password Mama and tried with NoOpPasswordEncoder
1 answers
solution1
0 ACCPTED 2021-04-21 18:06:53
Managed to fix this by cleaning up the code and making a few changes to the grantedAuthorities method, which didn't need the ROLE_
Also changed hasRole, hasAnyRole with hasAuthority and hasAnyAuthority by eliminating the ROLE_ Not sure why but it works now.
Also the API is a lot simpler to understand now
Here is the updated code:
@Configuration
@EnableWebSecurity
public class AppSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
/*auth.inMemoryAuthentication()
.withUser("appuser").password("1234").roles("HEAD")
.and()
.withUser("Mama").password("Mama").roles("MAMA");*/
}
@Override
/*
* Now we have learnt the basics of Spring Security & Authrization method is completed.
* Lets fix Authentication first!
* Got it to work with hasAuthority & hasAnyAuthority but not with roles, not sure why, but it works atm
*
* */
protected void configure(HttpSecurity http) throws Exception {
//Disabled for development
http.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/mama").hasAuthority("MAMA")
.antMatchers("/home").hasAnyAuthority("HEAD", "MAMA")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/")
.defaultSuccessUrl("/home");
}
@Bean
/*
* Returning no op password encoder for now, as we are not encoding passwords as no registration
* implemented for Prototype. We would need to add the users from a separate service. W
*
* */
public PasswordEncoder getPasswordEncoder(){
return NoOpPasswordEncoder.getInstance();
}
}
//EmployeeDetailsService.java
@Service
public class EmployeeDetailsService implements UserDetailsService {
@Override
/*
* First, we are testing the Employee details service, independent of the Database, just to make sure we have this part working,
* For the purpose of these prototypes, we wont use password encoder because we are not registering,
*
* */
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
if (!username.equals("Mama")){
throw new UsernameNotFoundException("You got the wrong Username, should be mama");
}
Employee employee = new Employee();
Role role = new Role();
role.setName("HEAD");
employee
.setUsername(username)
.setPassword("1234")
.setRole(role);
return new EmployeePrincipal(employee);
}
}
//EmployeePrincipal.java
public class EmployeePrincipal implements UserDetails {
private Employee employee;
public EmployeePrincipal(Employee employee){
this.employee = employee;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
List<SimpleGrantedAuthority> authorities = new ArrayList<SimpleGrantedAuthority>();
authorities.add(new SimpleGrantedAuthority(employee.getRole().getName()));
return authorities;
}
@Override
public String getPassword() {
return employee.getPassword();
}
@Override
public String getUsername() {
return employee.getUsername();
}
/*
* Methods below are the rubbish methods, we keep as true for now
*
* */
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
@RestController
public class LoginApi {
@RequestMapping("/")
public String index(){
return "Index"
}
@RequestMapping("/home")
public String home(){
return "Home!";
}
/*
* This method can be deleted in the end
* */
@RequestMapping("/mama")
public String roleTest(){
return "This end point is only for Mama!";
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.