Spring Security JDBC Authentication with Password Encryption

I published a basic level tutorial on how to implement JDBC Authentication and Authorization using Spring Security last week. There a...




I published a basic level tutorial on how to implement JDBC Authentication and Authorization using Spring Security last week. There are few best practices to be followed while implementing security. One such important thing to do is Password Encryption and I am going to cover all this in this article.

I updated the project I implemented for the previous tutorial to cover the following best practices,

1. Edited mysql queries to use userid as foreign key instead of username. This will help in case if the username needs to be changed in future.

2. Replaced passwords in database that are stored as plain text with encrypted passwords. This is very very important. If the database ever gets hacked, all the plain text passwords will be exposed and that would be a great disaster. So, passwords must be encrypted with a good hashing algorithm which will be very hard for any hacker to crack. Spring Security supports one of the best password hashing algorithm which is bcrypt. I found an interesting article about using bcrypt here, you can read it if you want to have a quick look at what this is.

3. Used Spring Security's default BCryptPassword Encoder to handle bcrypt encoded passwords.

4. Separated database, authentication and authorization related configuration from mvc configuration.

Let me now go step by step and explain the changes to be made.

1. First download the existing project from here.

2. Execute below mysql queries,

DROP TABLE IF EXISTS users;
DROP TABLE IF EXISTS user_roles;
CREATE  TABLE users (
  userid VARCHAR(5) NOT NULL,
  username VARCHAR(45) NOT NULL ,
  password VARCHAR(60) NOT NULL ,
  enabled TINYINT NOT NULL DEFAULT 1 ,
  PRIMARY KEY (userid));
  
CREATE TABLE user_roles (
  user_role_id int(11) NOT NULL AUTO_INCREMENT,
  userid varchar(5) NOT NULL,
  role varchar(45) NOT NULL,
  PRIMARY KEY (user_role_id),
  UNIQUE KEY uni_username_role (role,userid),
  KEY fk_username_idx (userid),
  CONSTRAINT fk_username FOREIGN KEY (userid) REFERENCES users (userid));

INSERT INTO users(userid,username,password,enabled)
VALUES ('001','priya','$2a$04$CO93CT2ObgMiSnMAWwoBkeFObJlMYi/wzzOnPlsTP44r7qVq0Jln2', true);
INSERT INTO users(userid,username,password,enabled)
VALUES ('002','naveen','$2a$04$j3JpPUp6CTAe.kMWmdRNC.Wie58xDNPfcYz0DBJxWkucJ6ekJuiJm', true);

INSERT INTO user_roles (userid, role)
VALUES ('002', 'ROLE_USER');
INSERT INTO user_roles (userid, role)
VALUES ('001', 'ROLE_ADMIN');
INSERT INTO user_roles (userid, role)
VALUES ('001', 'ROLE_USER');

Note that I have converted plain text passwords to encrypted passwords. I used this online bcrypt calculator for converting the passwords to bcrypt encoded hash values. You can do the same or use this small utility method to find out,

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

public class EncryptPassword{

 public static void main(String args[]) throws Exception {
  String cryptedPassword = new BCryptPasswordEncoder().encode("password");
  System.out.println(cryptedPassword);
 }
}

3. Add a new class in hello package to have all authentication related configuration to have a better clarity,

AuthenticationProvider.java


package hello;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.jdbc.datasource.DriverManagerDataSource;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl;

@Configuration
public class AuthenticationProviderConfig {
 @Bean(name = "dataSource")
 public DriverManagerDataSource dataSource() {
     DriverManagerDataSource driverManagerDataSource = new DriverManagerDataSource();
     driverManagerDataSource.setDriverClassName("com.mysql.jdbc.Driver");
     driverManagerDataSource.setUrl("jdbc:mysql://localhost:3306/userbase");
     driverManagerDataSource.setUsername("root");
     driverManagerDataSource.setPassword("root");
     return driverManagerDataSource;
 }
    
    @Bean(name="userDetailsService")
    public UserDetailsService userDetailsService(){
     JdbcDaoImpl jdbcImpl = new JdbcDaoImpl();
     jdbcImpl.setDataSource(dataSource());
     jdbcImpl.setUsersByUsernameQuery("select username,password, enabled from users where username=?");
     jdbcImpl.setAuthoritiesByUsernameQuery("select b.username, a.role from user_roles a, users b where b.username=? and a.userid=b.userid");
     return jdbcImpl;
    }
}


4. Remove datasource configuration from MvcConfig.java. MvcConfig must now look clean with only mvc related configuration like this,

MvcConfig.java

package hello;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import org.springframework.web.servlet.view.InternalResourceViewResolver;

@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter{

    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/home").setViewName("home");
        registry.addViewController("/").setViewName("home");
        registry.addViewController("/hello").setViewName("hello");
        registry.addViewController("/login").setViewName("login");
        registry.addViewController("/403").setViewName("403");
    }    
    
    @Bean
 public InternalResourceViewResolver viewResolver() {
  InternalResourceViewResolver resolver = new InternalResourceViewResolver();
  resolver.setPrefix("/WEB-INF/jsp/");
  resolver.setSuffix(".jsp");
  return resolver;
 }    
}

5. Now add password encoder to security configuration class.

WebSecurityConfig.java


package hello;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

 @Autowired 
 UserDetailsService userDetailsService;
 
 @Autowired
 public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {    
  auth.userDetailsService(userDetailsService).passwordEncoder(passwordencoder());;
  
 } 
 
 @Override
 protected void configure(HttpSecurity http) throws Exception {

   http.authorizeRequests()
  .antMatchers("/hello").access("hasRole('ROLE_ADMIN')")  
  .anyRequest().permitAll()
  .and()
    .formLogin().loginPage("/login")
    .usernameParameter("username").passwordParameter("password")
  .and()
    .logout().logoutSuccessUrl("/login?logout") 
   .and()
   .exceptionHandling().accessDeniedPage("/403")
  .and()
    .csrf();
 }
 
 @Bean(name="passwordEncoder")
    public PasswordEncoder passwordencoder(){
     return new BCryptPasswordEncoder();
    }
}

Its very simple. Just create an object of Spring Security's default BCryptPasswordEncoder, set it to the AuthenticationManagerBuilder and we are done!

The user will type plain text for password on the website, spring security validates the bcrypt encoded version of the password entered by the user.

You can download this updated project from the link below.

DOWNLOAD

How it works




Keep yourself subscribed for getting programmingfree articles delivered directly to your inbox once in a month. Thanks for reading!

Subscribe to GET LATEST ARTICLES!


Related

Trending 7496506812751949135

Post a Comment

  1. Replies
    1. really informative content
      do check out List Of Over 60+ Fun Jobs That Pay Well & Tips On How to Get Them
      https://www.janbasktraining.com/blog/fun-jobs-that-pay-well/

      Delete
    2. really informative content
      do check out Top 45 Highest Paying IT Jobs (With Average Salaries)
      Visit W3Schools.com!

      Delete
  2. please post spring mvc with maven and db connectivity program

    ReplyDelete
    Replies
    1. really informative content
      do check out Top 45 Highest Paying IT Jobs (With Average Salaries)
      janbasktraining.com!

      Delete
  3. Hi This is very good example and works well. I am just new and learning this. How can i add a new regisration page after welcome page. I created jsp and made mvc config changes but not sure how to change settings in websecurityconfig.java. can you please help me

    ReplyDelete
  4. Don’t be a fool to take assistance from any writing services because most writing websites are providing uneducated writers who are unknown with the aspects of writing that’s why the majority of the students are falling in their academic paper. In this scenario, students should contact academic service who are fully aware of the aspects of an academic paper and also resolves the inquiry of the student for years.

    ReplyDelete
  5. Are you tired after a lot of attempts? Since most of the students are falling down in their papers due to incomplete knowledge that’s why they found helping hands of homework help writers gulf who are professional in the field of academic writing and also known with the aspects of it. Furthermore, they enjoy the best discount offers offered by them and also receive the required paper at the given deadline.

    ReplyDelete
  6. I am reading it with keen interest but is not difficult to reset password if you have encrypted it. Assignment writing services

    ReplyDelete
  7. Great post! I am seeing the great contents and step by step read really nice information. I am gathered this concept and more information.
    Data Science Training in Hyderabad
    Data Science Course in Hyderabad

    ReplyDelete
  8. Most of the Java Assignment Help online isn't often up to conventionally excellent standards. But with them in the industry for several years, there's no doubt that they offer excellent programming help. To me, they are the best. The group of programmers behind the Programming Assignment Help website is more than amazing. I trust all of them because each time I always get my assignment done by a different expert without failing. Please continue in the same spirit.

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. This is a very useful and important information, it was so useful to me and other readers, thank you for always feeding the readers with interesting and useful information, your blog is indeed doing very well, kudos, meanwhile you can checkout this cut off mark for marine engineering in fupre

    ReplyDelete
  11. This blog has enlightened me on what I suppose to know about. As a matter of fact, it has shown me the necessary steps I should take. You can still click here to see noun cut off mark for jamb

    ReplyDelete
  12. Thanks for this amazing article, I believe it will be of great benefit to students also. Small Business Grants 2020

    ReplyDelete
  13. This is a very unique and magnificent post with readable and informative content, I'm absolutely impressed. Thank you for sharing these amazing reads..... coeikwo departmental cut off mark

    ReplyDelete
  14. Dissertations are one of the hardest assignments that can be done. Its goal is to text the upper limits of a student's data gathering skills and knowledge. We at Dissertation help London provide the best of the best academic writing help available. With our hard working and experienced team of writers and scholars we can deliver the dissertations on time with high quality guarantee. Through this we have built our reputation of being the best online Dissertation help in London. Moreover, we have also become known for our affordable services that have enabled many students to be able to come to us for help.

    ReplyDelete
  15. I often hear about different document translation agencies. It's great and makes people's lives easier. But recently I discovered a video translation and dubbing service - Service vidby. This is important to me because I'm one of those people who doesn't like subtitles because they distract from the plot of the video. Taking into account the fact that the time of machine voice acting is much less than for human voice acting, this saves time and money.

    ReplyDelete
  16. Excellent for this specific beneficial blog post. I am surprisingly happy to seek out this form of relevant information. lautech past questions and answers

    ReplyDelete
  17. This comment has been removed by the author.

    ReplyDelete
  18. Great Blogs,Every thing needs security,Thats whyLifeLong Wealth Managemet provide securing advising for your future

    ReplyDelete
  19. This blog describe all major security points, Gladwell Care Canada is also secure patient with adult diapers

    ReplyDelete
  20. EVERYONE Get ready for #MISS SUPERMODEL GLOBE, INDIA 2022, SEASON 3


    MISS #SUPERMODEL #GLOBAL, INDIA 2022, SEASON 3 is the ideal opportunity for you to boost your self-esteem and accomplish your objectives. Join us in promoting cancer awareness among women in India and changing lives.


    SEMI FINALE is scheduled on 12th MARCH 2023 in DELHI
    However slots are filling up quickly, so don't wait to register.
    https://www.supermodelglobe.com/register.html



    SUPERMODEL GLOBE wishes #Heartiest Congratulation to the GUWAHATI State finalist Miss Neha Mili. You have the chance of a lifetime to take advantage of it with her

    There is not much time left!
    Don't wait until it's too late to take advantage of this opportunity.


    ReplyDelete

  21. Great Dubai is a First Global Platform where you can rent a Car on Cheap Rates. Get the Best Offers and Discounts on Rent a Car Dubai for all kinds of automobiles like Top 4 Best Nissan Maxima Cars for Rent in Downtown Dubai and other Economy, Luxury and Sports Cars.

    ReplyDelete
  22. Hi I am really impressed by the effort that you had put in. Keep going!
    concisemedico.co.uk

    ReplyDelete
  23. To activate your BBC visit bbc.com/account/tv and follow the activation process.
    bbc.com/account/tv
    bbc.com/account/tv

    To activate your BBC visit bbc. com/account/tv enter code and follow the activation process.
    bbc. com/account/tv enter code
    bbc. com/account/tv enter code

    ReplyDelete
  24. To activate your BBC visit bbc. com/account/tv/ and follow the activation process.
    bbc. com/account/tv/
    bbc. com/account/tv/

    ReplyDelete
  25. To activate your american express/confirm card visit americanexpress.com/confirmcard and follow the activation process.
    americanexpress.com/confirmcard
    americanexpress.com/confirmcard

    To activate your american express/confirm card visit americanexpress.com/confirmcard and follow the activation process.
    americanexpress.com/confirmcard
    americanexpress.com/confirmcard

    ReplyDelete
  26. To activate your vudu tv visit vudu.com/start and follow the activation process.
    vudu.com/start
    vudu.com/start

    To activate your vudu tv visit vudu.com/start and follow the activation process.
    vudu.com/start
    vudu.com/start

    ReplyDelete
  27. To activate your vudu tv visit vudu.com/start and follow the activation process.
    vudu.com/start
    vudu.com/start

    To activate your TNT drama visit tntdrama.com/activate and follow the activation process.
    tntdrama.com/activate
    tntdrama.com/activate

    ReplyDelete
  28. Malone Painting Company is equipped and prepared to handle any size job. From small rsidential repaints and re-models, to large commercial projects, we are confident we have the resources and know-how to get the job done. Interior Painting St-Louis

    ReplyDelete
  29. What a comprehensive and insightful exploration of twin gear pumps in Qatar's industrial scene! This blog truly highlights how innovation in pumping technology, like twin gear pumps, plays a pivotal role in advancing various sectors.
    digitalphotolab.
    website: https://www.digitalphotolab.in/

    ReplyDelete
  30. "Wow, this article really opened my eyes to a new perspective! I love how you explained such a complex topic in such a simple way. Looking forward to reading more from you. Keep up the great work!"
    indiantradebird.
    website: https://www.indiantradebird.com/product/magnetic-drum-separator

    ReplyDelete

  31. "Wow, this article really opened my eyes to a new perspective! I love how you explained such a complex topic in such a simple way. Looking forward to reading more from you. Keep up the great work!"
    amordesigninstitute.
    website: https://www.amordesigninstitute.com/

    ReplyDelete
  32. Thanks for this amazing article, I believe it will be of great benefit to students also.

    Shuttle Buses–Used Reconditioned Shuttle Buses

    ReplyDelete
  33. Thank you for this insightful article. It’s clear you’ve done your research, and your passion for the subject is contagious!

    ReplyDelete
  34. "Whoa, this post has given me a whole new viewpoint! I adore the straightforward manner in which you addressed such a difficult subject. Anticipating more reading from you. Continue your fantastic work!"
    crm development services

    ReplyDelete
  35. Implementing Spring Security with JDBC authentication and password encryption enhances web application security by ensuring robust user authentication and safeguarding sensitive user credentials. We are from website designing company in delhi.
    SriRam Soft Trade Solutions
    Contact:- +91-9990699492
    Email - sriramsoft135@gmail.com
    Address:-18, near navjeevan nursing home, Shiv Puri, Krishna Nagar Extension, Extension, Delhi, 110051

    ReplyDelete
  36. Excellent post, if you want to know about how to establish detergent cake making machine manufacturing business and earn lot of profit visit : Foodmart Agro Engineering

    ReplyDelete
  37. Its a nice post if you want about pouch packing machine visit our website:https://www.laghuudyogbharat.com/ pouch packaging Machine

    ReplyDelete
  38. Its a very helpful post if you want to know about deterdent powder making machine contact our website: https://www.laghuudyogbharat.com/#detergent powder Making Machine

    ReplyDelete
  39. Its a very helpful post if you want to know about agarbatti making machine contact our Foodmart Agro Engineering

    ReplyDelete
  40. Amazing post, Foodmart Agro Engineering offer best fully automatic chappal (slipper) making machine. for the footwear industry. Our efficient and precise machines cater to both small scale and large scale businesses, enhancing production capabilities and optimizing resource utilization. visit:- Foodmart Agro Engineering

    ReplyDelete

emo-but-icon

SUBSCRIBE


item