INTRODUCTION TO SECURITY CHANGES
In the previous post we created the users, their roles and passwords by wiring them directly into the code as we were working on a test phase. The information on username, password and roles, must be stored in the DBMS, encrypting the password. This is imposed on us by Spring but is certainly a good programming rule. It is in the UTENTI table that has a one-to-one relationship with the CLIENTI table where the credentials, USERID and PASSWORD, are stored. The PROFILI table will store user roles. The relationship is one-to-many; a user can be associated with multiple roles as we shall see.
USER CREATION WITH ENCRYPTED PASSWORD
The password in the UTENTI table should be encrypted. As first thing in the ClientiController.java class we have to do the @Autowired of the class that is in charge of encrypting the information.
@Autowired
private BCryptPasswordEncoder passwordEncoder;
I report the part of the code in the update method where the password is encrypted.
AUTHENTICATION WITH JPA 2 AND DBMS DATA
As mentioned the users and profiles that are now hardwired directly into the code in the SecurityConfig.java configuration class will need to be derived from the relational database. To do this we create a new class in the service layer that we will call CustomUserDetailsService.java. Since this is a class that is in the service layer it will have the notation @Service, this time we are entering a string as a notation parameter, basically we are naming our service class.
This class must implement the UserDetailsService.java interface, which is critical as it allows us to get the details of the users.
The UserDetails method will have to handle: the CODFIDELITY, the USERID, and the PASSWORD, this is because in the UTENTI table we have included these three pieces of information. The user when authenticating will have to enter these three items. That said, we also need to derive the user’s password. To do this we modify the code of the UtentiDao.java class by inserting a new method:
Utenti SelByUserIdCodFid(String UserId, String CodFid);
We create its implementation in the UtentiDaoImpl.java class and handle the same method in the service layer.
Now that we have implemented this new method we continue with the examination of our class. We get the user with the method we just created, We create a new UserBuider Object and find the profiles associated with the user.
NB: IN THE SECURITY CLASSES, A FILTER WAS IMPLEMENTED THAT PASSES THE UserId IN THE FORM malbasini@9865234, THAT IS, THE USERNAME IS SEPARATED FROM THE FIDELITY CODE BY THE SYMBOL @. IF YOU TRY TO ENTER AN EMAIL ADDRESS AS THE USERNAME, THE METHOD WILL FAIL BECAUSE THE SPLIT INSTRUCTION IS USED ON THE @. I INVITE YOU TO CONSULT THE CODE AND COMMENTS.
CHANGING THE SECURITY CONFIGURATION CLASS
The time has now come to use the newly implemented class.
We are using a new @Qualifier notation in which we specify the name of the class we are autowiring. We then execute the autowired of our DataSource and this is normal since we need to retrieve data from our DBMS. The rest of the code has been commented, I invite you to read the comments.
THE CONTROLLER
NB:EVEN IF THERE ARE NO RECORDS IN THE UTENTI TABLE THE CONTROLLER CREATES AN ADMIN USER WITH USERNAME= ADMIN, CODFIDELITY=-1 AND PASSWORD SET IN THE APPLICATION.PROPERTIES FILE AS PER THE IMAGE SHOWN.
DOWNLOAD ARTICLE CODE
The AlphaShopV8.zip project is for the SQL Server DBMS while AlphaShopV9.zip is for MySQL.
Leave A Comment