Search code examples
javaspring-mvcauthenticationspring-security

Spring Security service configuration

I'm trying to build a Java EE app prototype using different frameworks. Everything works fine except the security layer. I chose to use Spring Security configured with Spring configuration.

The code is like this:

Spring Security Config

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
    @Autowired
    private MyUserDetailsService userDetailsService;

    @Override
    protected UserDetailsService userDetailsService () {
        return this.userDetailsService;
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
        .ignoring()
        .antMatchers("/resources/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .formLogin()
        .loginPage("/login")
        .loginProcessingUrl("/login/authenticate")
        .failureUrl("/login?error=bad_credentials")
        .and()
        .logout()
        .logoutUrl("/signout")
        .deleteCookies("JSESSIONID")
        .and()
        .authorizeRequests()
        .antMatchers("/admin/**").hasRole("ADMIN")
        .antMatchers("/**").permitAll()
        .and()
        .csrf();
    }
}

User Detail Service

@Service("myUserDetailsService")
public class MyUserDetailsService implements UserDetailsService
{
    public static final Logger log = Logger.getLogger(MyUserDetailsService.class);

    public MyUserDetailsService() {
    }

    @Autowired
    private UserDao userDao;

    @Override
    public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
        final User user = getSystemUser(userName);
        final List<GrantedAuthority> authorities = getUserAuthorities(user);
        return buildUserForAuthentication(user, authorities);
    }

    private User buildUserForAuthentication(User user, List<GrantedAuthority> authorities) {
        //...
    }

    private User getSystemUser(String alias) {
        //...
    }

    private List<GrantedAuthority> getUserAuthorities(User user) {
        //...
        return null;
    }
}

What I'm expecting this code to do is that when /login/authenticate is reached with the user & pass params, the underlying spring code invokes my user service, but this never happens.

What am I missing?

I'm using spring-security 3.2.3.RELEASE.

Solution

  • You should register your custom authentication in SecurityConfig class which have extended WebSecurityConfigureAdapter:

    @Autowired
private MyUserDetailsService userDetailsService;

@Override
protected void configure(AuthenticationManagerBuilder auth) 
      throws Exception {
    auth.userDetailsService(this.userDetailsService);
}

    for 3.2.3 the config should be

    @Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(this.userDetailsService);
}