Auto-Generating Spring Security: Default JDBC Realms
This tutorial expands on the auto-generation of spring security using a memory realm to cover default JDBC realms.
Join the DZone community and get the full member experience.
Join For FreeThe previous tutorial showed how we can auto-generate of spring security using a memory realm. This tutorial expands on this to cover Default JDBC Realms using the source code from the parkrunPB application
Security Requirements
The site has the following links and security requirements:
| http://localhost:8080/ | Accessible to all |
| http://localhost:8080/webjars | Static Resources – Accessible to all |
| http://localhost:8080/about.html | Static page – Accessible to all |
| http://localhost:8080/login.html | Accessible to all |
| http://localhost:8080/admin/ | Admin User |
| http://localhost:8080/rest | Accessible to all |
We also have a requirement to use a users and roles with the structure –
| USER | PASSWORD | ROLES |
| admin | admin | ADMIN |
Getting Started
The first thing we need to do is uncomment spring security in the maven pom –
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
We can then compile and run the code:
mvn spring-boot:runThe whole application is now locked down
Luckily we can login using the default username (user), and the password from the logs. Im my case:
2016-11-06 21:16:56.877 INFO 8088 --- [main] b.a.s.AuthenticationManagerConfiguration :
Using default security password: e1c87658-8b7e-4b1e-88da-902b5356ef66Default JDBC Tables
We can now begin to create our SecurityConfiguration using Spring Security Generator
We then get the generated source code:
package com.glenware.springboot;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth
.jdbcAuthentication()
.dataSource(dataSource)
.withDefaultSchema()
.withUser("admin").password("admin").roles("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/webjars/*","/about.html","/rest/**").permitAll()
.antMatchers("/admin/**").hasAnyRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/admin/admin.html")
.failureUrl("/login")
.permitAll()
.and()
.logout()
.logoutSuccessUrl("/")
.permitAll()
;
}
}Key Points
- Using JDBC Realm(Default): The default realm means Spring Security will use its default users.ddl.
- Same configuration as before
We can now access the site the same as the memory realm, but with user details stored in the database. The next post will look at using a custom JDBC table.
Published at DZone with permission of Martin Farrell, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments