Search code examples

Spring Boot Form Login Custom UserDetailsService authorisation not working

I am a beginner at Spring Boot and really struggling to get this. I am not finding Spring boot's security API very intuitive at all, but I'm trying to get it.

I am going to use MySql with JPA to get Users from the Database, But initially just to ensure that the security scaffolding works, I am just hard coding a User From Employee Details Service.

After a lot of trouble, I have managed to get the basic Authentication to work, but the Authorisation is not working. I have edited the question to reflect the basic issue:

I am aware that there are other questions out there before people mark this as duplicate, I have gone through all of them, they all respond with basic answers that I think are already working in my app.

At the end /home path is for home method, /mama path is for role mama

Here is the code:

package com.straightwalls.absencemanagement.config;

import com.straightwalls.absencemanagement.service.EmployeeDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;


public class AppSecurityConfig extends WebSecurityConfigurerAdapter {

    private UserDetailsService userDetailsService;

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

   protected void configure(HttpSecurity http) throws Exception {
    //Disabled for development
            .antMatchers("/home").hasAnyRole("ROLE_HEAD", "ROLE_MAMA")

    * Returning no op password encoder for now,
    * as we are not encoding passwords as no registration
    * implemented for Prototype. We would need to add the users from a separate service. W
    * */
    public PasswordEncoder getPasswordEncoder(){
        return NoOpPasswordEncoder.getInstance();


package com.straightwalls.absencemanagement.service;

import com.straightwalls.absencemanagement.model.Employee;
import com.straightwalls.absencemanagement.model.Role;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.stereotype.Service;

public class EmployeeDetailsService implements UserDetailsService {

    public UserDetails loadUserByUsername(String username)
                         throws UsernameNotFoundException {
    if (!username.equals("Mama")){
        throw new UsernameNotFoundException(
            "You got the wrong Username, should be mama"

    Employee employee = new Employee();
    Role role = new Role();

    return new EmployeePrincipal(employee);

    package com.straightwalls.absencemanagement.service;
    import com.straightwalls.absencemanagement.model.Employee;
    import java.util.Arrays;
    import java.util.Collection;
    public class EmployeePrincipal implements UserDetails {

    private Employee employee;
    //Added another default Constructor, incase
    public EmployeePrincipal(){


    public EmployeePrincipal(Employee employee){
        this.employee = employee;

    public Collection<? extends GrantedAuthority> getAuthorities() {
        return Arrays.asList(new SimpleGrantedAuthority("ROLE_HEAD"));
        //return Arrays.asList(new SimpleGrantedAuthority("ROLE_" + employee.getRole().getName()));

    public String getPassword() {
        return employee.getPassword();

    public String getUsername() {
        return employee.getUsername();

    * Methods below are the rubbish methods, we keep as true for now
    * */
    public boolean isAccountNonExpired() {
        return true;

    public boolean isAccountNonLocked() {
        return true;

    public boolean isCredentialsNonExpired() {
        return true;

    public boolean isEnabled() {
        return true;

package com.straightwalls.absencemanagement.api;

import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

public class LoginApi {

    public String index(){
        return "Straight Walls absence management!";

    public String home(){
        return "Welcome to Home!";

    * This method can be deleted in the end
    public String roleTest(){
        return "This end point is only for Mama!";


package com.straightwalls.absencemanagement.model;

import org.hibernate.annotations.Fetch;

import javax.persistence.*;
import java.time.LocalDate;
import java.time.format.DateTimeFormatter;

public class Employee {

    private long id;
    private String firstName;
    private String lastName;
    private String username;
    private String password;
    private String startDate;

    @JoinColumn(name = "roleId", referencedColumnName = "id")
    private Role role;

    @JoinColumn(name = "departmentId", referencedColumnName = "id")
    private Department department;

    public Employee(){


    public long getId() {
        return id;

    public Employee setId(long id) { = id;
        return this;

    public String getFirstName() {
        return firstName;

    public Employee setFirstName(String firstName) {
        this.firstName = firstName;
        return this;

    public String getLastName() {
        return lastName;

    public Employee setLastName(String lastName) {
        this.lastName = lastName;
        return this;

    public String getUsername() {
        return username;

    public Employee setUsername(String username) {
        this.username = username;
        return this;

    public String getPassword() {
        return password;

    public Employee setPassword(String password) {
        this.password = password;
        return this;

    public String getStartDate() {
        return startDate;

    public Employee setStartDate(LocalDate startDate) {
      this.startDate =   
      return this;

    public Role getRole() {
        return role;

    public Employee setRole(Role role) {
        this.role = role;
        return this;

    public Department getDepartment() {
        return department;

    public Employee setDepartment(Department department) {
        this.department = department;
        return this;

Server Logs: 2021-04-21 07:42:12.151 INFO 10370 --- [ restartedMain] traightWallsAbsenceManagementApplication : Starting StraightWallsAbsenceManagementApplication using Java 16 on Peshotans-MacBook-Air.local with PID 10370 (/Users/peshotanpavri/java/IdeaProjects/StraightWallsAbsenceManagement/target/classes started by peshotanpavri in /Users/peshotanpavri/java/IdeaProjects/StraightWallsAbsenceManagement) 2021-04-21 07:42:12.154 INFO 10370 --- [ restartedMain] traightWallsAbsenceManagementApplication : No active profile set, falling back to default profiles: default 2021-04-21 07:42:12.254 INFO 10370 --- [ restartedMain] .e.DevToolsPropertyDefaultsPostProcessor : Devtools property defaults active! Set 'spring.devtools.add-properties' to 'false' to disable 2021-04-21 07:42:12.255 INFO 10370 --- [ restartedMain] .e.DevToolsPropertyDefaultsPostProcessor : For additional web related logging consider setting the 'logging.level.web' property to 'DEBUG' 2021-04-21 07:42:14.065 INFO 10370 --- [ restartedMain] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode. 2021-04-21 07:42:14.203 INFO 10370 --- [ restartedMain] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 113 ms. Found 1 JPA repository interfaces. 2021-04-21 07:42:15.235 INFO 10370 --- [ restartedMain] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (http) 2021-04-21 07:42:15.253 INFO 10370 --- [ restartedMain] o.apache.catalina.core.StandardService : Starting service [Tomcat] 2021-04-21 07:42:15.253 INFO 10370 --- [ restartedMain] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.45] 2021-04-21 07:42:15.404 INFO 10370 --- [ restartedMain] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext 2021-04-21 07:42:15.405 INFO 10370 --- [ restartedMain] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 3147 ms 2021-04-21 07:42:15.642 INFO 10370 --- [ restartedMain] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Starting... 2021-04-21 07:42:16.670 INFO 10370 --- [ restartedMain] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Start completed. 2021-04-21 07:42:16.743 INFO 10370 --- [ restartedMain] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [name: default] 2021-04-21 07:42:16.859 INFO 10370 --- [ restartedMain] org.hibernate.Version : HHH000412: Hibernate ORM core version 5.4.30.Final 2021-04-21 07:42:17.121 INFO 10370 --- [ restartedMain] o.hibernate.annotations.common.Version : HCANN000001: Hibernate Commons Annotations {5.1.2.Final} 2021-04-21 07:42:17.327 INFO 10370 --- [ restartedMain] org.hibernate.dialect.Dialect : HHH000400: Using dialect: org.hibernate.dialect.MySQL8Dialect 2021-04-21 07:42:18.359 INFO 10370 --- [ restartedMain] o.h.e.t.j.p.i.JtaPlatformInitiator : HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform] 2021-04-21 07:42:18.383 INFO 10370 --- [ restartedMain] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default' 2021-04-21 07:42:18.458 WARN 10370 --- [ restartedMain] JpaBaseConfiguration$JpaWebConfiguration : is enabled by default. Therefore, database queries may be performed during view rendering. Explicitly configure to disable this warning 2021-04-21 07:42:18.737 INFO 10370 --- [ restartedMain] o.s.s.web.DefaultSecurityFilterChain : Will secure any request with [,,,,,,,,,,,,,,] 2021-04-21 07:42:18.981 INFO 10370 --- [ restartedMain] o.s.s.concurrent.ThreadPoolTaskExecutor : Initializing ExecutorService 'applicationTaskExecutor' 2021-04-21 07:42:19.784 INFO 10370 --- [ restartedMain] o.s.b.d.a.OptionalLiveReloadServer : LiveReload server is running on port 35729 2021-04-21 07:42:19.835 INFO 10370 --- [ restartedMain] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path '' 2021-04-21 07:42:19.851 INFO 10370 --- [ restartedMain] traightWallsAbsenceManagementApplication : Started StraightWallsAbsenceManagementApplication in 8.486 seconds (JVM running for 10.642) 2021-04-21 07:42:45.273 INFO 10370 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet' 2021-04-21 07:42:45.275 INFO 10370 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet' 2021-04-21 07:42:45.300 INFO 10370 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 24 ms

I am logging in with a dummy role HEAD. So I should be able to access: /, /home but not /mama I cant access /home, even though the role has been properly defined

In my base package, I have the following packages: config: With this config file, model: All entities api: Controllers repository: Repositories (Not used yet) service: Where I have EmployeeDetailsService & EmployeeDetails class

Any advice would be greatly appreciated as I am expecting this to work, but its just not throwing any errors and just constantly saying bad credentials even though I have put the username Mama and password Mama and tried with NoOpPasswordEncoder


  • Managed to fix this by cleaning up the code and making a few changes to the grantedAuthorities method, which didn't need the ROLE_

    Also changed hasRole, hasAnyRole with hasAuthority and hasAnyAuthority by eliminating the ROLE_ Not sure why but it works now.

    Also the API is a lot simpler to understand now

    Here is the updated code:

    public class AppSecurityConfig extends WebSecurityConfigurerAdapter {
        UserDetailsService userDetailsService;
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        * Now we have learnt the basics of Spring Security & Authrization method is completed.
        * Lets fix Authentication first!
        * Got it to work with hasAuthority & hasAnyAuthority but not with roles, not sure why, but it works atm
        * */
        protected void configure(HttpSecurity http) throws Exception {
            //Disabled for development
                    .antMatchers("/home").hasAnyAuthority("HEAD", "MAMA")
        * Returning no op password encoder for now, as we are not encoding passwords as no registration
        * implemented for Prototype. We would need to add the users from a separate service. W
        * */
        public PasswordEncoder getPasswordEncoder(){
            return NoOpPasswordEncoder.getInstance();
    public class EmployeeDetailsService implements UserDetailsService {
        * First, we are testing the Employee details service, independent of the Database, just to make sure we have this part working,
        * For the purpose of these prototypes, we wont use password encoder because we are not registering,
        * */
        public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
            if (!username.equals("Mama")){
                throw new UsernameNotFoundException("You got the wrong Username, should be mama");
            Employee employee = new Employee();
            Role role = new Role();
            return new EmployeePrincipal(employee);
        public class EmployeePrincipal implements UserDetails {
            private Employee employee;
            public EmployeePrincipal(Employee employee){
                this.employee = employee;
            public Collection<? extends GrantedAuthority> getAuthorities() {
                List<SimpleGrantedAuthority> authorities = new ArrayList<SimpleGrantedAuthority>();
                authorities.add(new SimpleGrantedAuthority(employee.getRole().getName()));
                return  authorities;
            public String getPassword() {
                return employee.getPassword();
            public String getUsername() {
                return employee.getUsername();
            * Methods below are the rubbish methods, we keep as true for now
            * */
            public boolean isAccountNonExpired() {
                return true;
            public boolean isAccountNonLocked() {
                return true;
            public boolean isCredentialsNonExpired() {
                return true;
            public boolean isEnabled() {
                return true;
    public class LoginApi {
        public String index(){
            return "Index"
        public String home(){
            return "Home!";
        * This method can be deleted in the end
        * */
        public String roleTest(){
            return "This end point is only for Mama!";