Acegi Security in one hour

A concise guide to securing your Java Web applications

1 2 3 4 5 6 7 Page 3
Page 3 of 7

The job of the AuthenticationProvider is to check the validity of the Authentication request object. Listing 7 uses DaoAuthenticationProvider to check user credentials. User-credential details are captured with UserDetailsService (specified by the userDetailsService bean definition). The definition of AuthenticationProvider is shown in Listing 8. It uses InMemoryDaoImpl as the UserDetailsService implementation.

Listing 8. AuthenticationProvider definition

<bean id="daoAuthenticationProvider"
    class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
    <property name="userDetailsService"/><ref local="userDetailsService"/></property>
    <property name="userCache">

    ...
    </property>
  </bean>
  
  <bean id="userDetailsService"
    class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
    <property name="userProperties">
      <bean
        class="org.springframework.beans.factory.config.PropertiesFactoryBean">
        <property name="location"
          value="/WEB-INF/users.properties" />

      </bean>
    </property>
  </bean>

Normally you'd write a custom UserDetailsService implementation that extracts the user information from a data store (such as a database or XML file). But often such a complex implementation isn't required, especially at the beginning of integrating Acegi security. You really don't want to spend much time writing database-based UserDetailsService implementations at this point. Instead, the InMemoryDaoImpl implementation comes in handy. In this case, you keep username, password, and role information inside users.properties.

Listing 9 shows a sample of users.properties. Note that the property's key is the username, and the property's value contains password and role information.

Listing 9. User information

james=tom@1231,ROLE_TECHNICIAN
krishna=krish2341,ROLE_TECHNICIAN
smith=pravah@001,ROLE_ADMIN

Keep in mind that you can use any implementation of UserDetailsService -- including JdbcDaoImpl, which is readily provided by the Acegi Security framework -- to validate user credentials. Listing 10 shows a modified definition of the userDetailsService Spring bean using JdbcDaoImpl.

Listing 10. Modified userDetailsService definition

<bean id="daoAuthenticationProvider"
  class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
  <property name="userDetailsService"/><ref local="jdbcDaoImpl"/></property>
  <property name="userCache">

  ...
  </property>
</bean>
<bean id="jdbcDaoImpl"
  class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
  <property name="dataSource">
    <ref bean="dataSource" />
  </property>

</bean>

You've now completed the authentication phase of the Acegi Security implementation. The authentication process establishes the user's identity in the application. The system still need to know if the user is authorized to view the page requested, however. This is the job of authorization.

1 2 3 4 5 6 7 Page 3
Page 3 of 7