Customize the Authentication Provider in Spring Security Application





Hey guys in this post, we will discuss customizing the Authentication provider in Spring Security. This is the continuation of the previous post, please follow that post before proceeding with this.

Complete example


There are situations, where we need to create our own custom implementation for the Authentication provider instead of using one provided by Spring security. In this tutorial, we will not use UserDetailsService instead we will create our own custom implementation for AuthenticationProvider

Let’s create a step-by-step spring boot project and customize the Authentication provider.

Create database and tables


In order to create our own custom implementation of UserDetailsService, first we need to create database tables for our users. To create a database and tables execute the following query

CREATE database springsecurity;

USE springsecurity;

CREATE TABLE tbl_employees
(
	id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
    email VARCHAR(255) NOT NULL,
    pwd VARCHAR(255) NOT NULL,
    role VARCHAR(255) NOT NULL
);

INSERT INTO tbl_employees VALUES (NULL, "[email protected]", "$2y$12$ZYU8aMJQBkxCF0DK9zLfnuTRP3RLVEI6PS/wbdESPth9MwCmSDRv.", "admin");

So in this example, we are not discussing creating a new user, so in order to hash the password, you can visit the website https://bcrypt-generator.com/ to hash the password.
Screenshot-2021-06-01-at-3-25-46-PM

Create spring boot project


There are many different ways to create a spring boot application, you can follow the below articles to create one –

>> Create spring boot application using Spring initializer
>> Create spring boot application in Spring tool suite [STS]
>> Create spring boot application in IntelliJ IDEA

Add maven dependencies


Open pom.xml and add the following dependencies –

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>2.5.0</version>
		<relativePath /> <!-- lookup parent from repository -->
	</parent>
	<groupId>in.bushansirgur</groupId>
	<artifactId>springsecurityproject</artifactId>
	<version>v1</version>
	<name>springsecurityproject</name>
	<description>Spring security project</description>
	<properties>
		<java.version>1.8</java.version>
	</properties>
	<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-data-jpa</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>

		<dependency>
			<groupId>mysql</groupId>
			<artifactId>mysql-connector-java</artifactId>
			<scope>runtime</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-test</artifactId>
			<scope>test</scope>
		</dependency>
	</dependencies>

	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>

</project>

spring-boot-starter-web dependency for building web applications using Spring MVC. It uses the tomcat as the default embedded container. spring-boot-starter-security dependency, which will help to implement spring security. mysql-connector-java dependency for connecting to the MySQL database. spring-boot-starter-data-jpadependency to interact with the database and perform the database operations.

Configure datasource


Open application.properties file and add the following contents –

spring.datasource.url=jdbc:mysql://localhost:3306/springsecurity
spring.datasource.username=scbushan05
spring.datasource.password=scbushan05

Create a Rest controller


Create HomeController.java inside the in.bushansirgur.springboot.controller package and add the following content

package in.bushansirgur.springboot.controller;

import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class HomeController {
	
	@RequestMapping("/home")
	public String showHomePage () {
		return "displaying the home page contents";
	}
	
	@RequestMapping("/protected")
	public String protectedPage () {
		return "displying the protected page contents";
	}
}

We have created two handler methods showHomePage(), which is mapped to /home, anyone can access this URI and protectedPage(), which is mapped to /protected, only authorized users can access this URI.



Create an entity class


Create an entity class Employee.java inside the in.bushansirgur.springboot.entity package and add the following content

package in.bushansirgur.springboot.entity;

import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;

@Entity(name =  "tbl_employees")
public class Employee {
	
	@Id
	@GeneratedValue(strategy = GenerationType.IDENTITY)
	private Integer id;
	
	private String email;
	
	private String pwd;
	
	private String role;

	public Integer getId() {
		return id;
	}

	public void setId(Integer id) {
		this.id = id;
	}

	public String getEmail() {
		return email;
	}

	public void setEmail(String email) {
		this.email = email;
	}

	public String getPwd() {
		return pwd;
	}

	public void setPwd(String pwd) {
		this.pwd = pwd;
	}

	public String getRole() {
		return role;
	}

	public void setRole(String role) {
		this.role = role;
	}
}

This is just a POJO with private fields, setters, getters, and JPA annotations. The class is annotated with @Entity annotation, this represents that this class is mapped with a database table.

Create a Repository


Create an interface EmployeeRepository.java inside the in.bushansirgur.springboot.repository package and add the following content

package in.bushansirgur.springboot.repository;

import java.util.List;

import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository;

import in.bushansirgur.springboot.entity.Employee;

@Repository
public interface EmployeeRepository extends JpaRepository<Employee, Integer> {
	
	List<Employee> findByEmail(String email);
}

Here we are creating a query method findByEmail() to retrieve the list of employees.

Create a service


Next, we need to create a service class that implements the UserDetails. Create a class EmployeeService.java inside the in.bushansirgur.springboot.service package and add the following content

package in.bushansirgur.springboot.service;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import in.bushansirgur.springboot.entity.Employee;

public class EmployeeService implements UserDetails {

	/**
	 * 
	 */
	private static final long serialVersionUID = 1L;
	private final Employee employee;
	
	public EmployeeService (Employee employee) {
		this.employee = employee;
	}
	
	@Override
	public Collection<? extends GrantedAuthority> getAuthorities() {
		List<GrantedAuthority> authorities = new ArrayList<>();
		authorities.add(new SimpleGrantedAuthority(employee.getRole()));
		return authorities;
	}

	@Override
	public String getPassword() {
		return employee.getPwd();
	}

	@Override
	public String getUsername() {
		return employee.getEmail();
	}

	@Override
	public boolean isAccountNonExpired() {
		return true;
	}

	@Override
	public boolean isAccountNonLocked() {
		return true;
	}

	@Override
	public boolean isCredentialsNonExpired() {
		return true;
	}

	@Override
	public boolean isEnabled() {
		return true;
	}

}

Here we create a constructor and pass the Employee object. So in the future whoever, creating  EmployeeService they need to pass the Employee object as well. With that Employee object, we will retrieve the username, password and authorities.




Create a custom authentication provider


Create a class CustomAuthenticationProvider inside the in.bushansirgur.springboot.config package that implements AuthenticationProvider. We will mark this class with @Component annotation so that as soon as the application loads spring will detect this class. Open the file and add the following content

package in.bushansirgur.springboot.config;

import java.util.ArrayList;
import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Component;

import in.bushansirgur.springboot.entity.Employee;
import in.bushansirgur.springboot.repository.EmployeeRepository;

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider{
	
	@Autowired
	private EmployeeRepository eRepository;
	
	@Autowired
	private PasswordEncoder pEncoder;

	@Override
	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
		String username = authentication.getName();
		String password = authentication.getCredentials().toString();
		List<Employee> employee = eRepository.findByEmail(username);
		if (employee.size() > 0) {
			if (pEncoder.matches(password, employee.get(0).getPwd())) {
				List<GrantedAuthority> authorities = new ArrayList<>();
				authorities.add(new SimpleGrantedAuthority(employee.get(0).getRole()));
				return new UsernamePasswordAuthenticationToken(username, password, authorities);
			}else  {
				throw new BadCredentialsException("Invalid password");
			}
		} else {
			throw new BadCredentialsException("No user registered with this details");
		}
	}

	@Override
	public boolean supports(Class<?> authentication) {
		return authentication.equals(UsernamePasswordAuthenticationToken.class);
	}
}

Anytime if we want to create our own custom implementation for AuthenticationProvider then we need to implement the AuthenticationProvider which will override two methods, one is authenticate(Authentication auth) which receives the Authentication object and the second is supports(). Inside these two methods, we will write our business logic to authenticate the user.

Create a configuration class


Let’s customize the spring security to deny all the URIs. Create ProjectSecurityConfig.java inside the in.bushansirgur.springboot.config package and add the following content.

package in.bushansirgur.springboot.config;

import javax.sql.DataSource;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.JdbcUserDetailsManager;

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests()
		.antMatchers("/home").permitAll()
		.antMatchers("/protected").authenticated()
		.and()
		.formLogin()
		.and()
		.httpBasic();
	}
	
	@Bean
	public PasswordEncoder passwordEncoder () {
		return new BCryptPasswordEncoder();
	}
}

Run the app


Run the application using the below maven command –

mvn spring-boot:run

Open the browser and enter the following URL –
http://localhost:8080/home
Screenshot-2021-05-05-at-8-16-42-PM
http://localhost:8080/protected
Screenshot-2021-05-05-at-8-16-16-PM

Enter the username and password which we inserted inside the database. Spring security will authenticate and allow the user to see the contents.

That’s it for this post, if you like this post, share this with your friends and colleagues or you can share this within your social media platform. Thanks, I will see you in our next post.



Bushan Sirgur

Hey guys, I am Bushan Sirgur from Banglore, India. Currently, I am working as an Associate project in an IT company.

Leave a Reply