Custom Roles in Spring Security

By default, Spring Security accepts roles like 'ROLE_ADMIN', 'ROLE_USER'.
We can change this default behavior by changing the Role Prefix from "Role_" to "".
In order to achieve this, we will add following code in the applicationContext-security.xml of our Login Example.

    <beans:bean id="roleVoter"
        class="org.springframework.security.vote.RoleVoter ">
        <beans:property name="rolePrefix" value="" />
    </beans:bean>
    <beans:bean id="authenticatedVoter"  class="org.springframework.security.vote.AuthenticatedVoter" />
    <beans:bean id="accessDecisionManager"  class="org.springframework.security.vote.AffirmativeBased">
    <beans:property name="decisionVoters">
        <beans:list>
            <beans:ref bean="roleVoter" />
            <beans:ref bean="authenticatedVoter" />
        </beans:list>
    </beans:property>
    </beans:bean>

After this, we can use our custom roles like 'admin' and 'user' instead of 'ROLE_ADMIN' and 'ROLE_USER'.

<authentication-provider>
        <password-encoder hash="md5"/>
        <user-service>
            <user name="sandeep" password="00f1de4e151ccfc1fc9ff735a5efc479" authorities="admin,user" />
            <user name="vijay" password="e555f863fb09593119fe2f3459e9783a" authorities="user" />
        </user-service>
 </authentication-provider> 

Configuring Logout in Spring Security

We will change the applicationContext-security.xml of our login example, to configure logout.
we will add logout tag in the http Section.

<http auto-config="true" access-denied-page="/deniedPage.jsp">
    <intercept-url pattern="/securePage**" access="ROLE_ADMIN" />
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <form-login login-processing-url="/j_spring_security_check"
                login-page="/login.jsp"
                default-target-url="/securePage.jsp"
                authentication-failure-url="/login.jsp" />
    <logout    logout-url="/j_spring_security_logout" invalidate-session="true" logout-success-url="/login.jsp" />
</http>

It is obvious from the configuration that session will be invalidated and login page will be displayed after logout.    

Using Spring Security with JDBC

First we need two tables.We will execute the following queries to create the tables.

create table users (username varchar(50) not null primary key,password varchar(50) not null,enabled boolean not null);

create table authorities (
    username varchar(50) not null,
    authority varchar(50) not null,
    foreign key (username) references users (username),
    unique index ix_auth_username (username, authority)
);

Then, we will insert some data into the tables.

INSERT INTO users VALUES ('sandeep', '00f1de4e151ccfc1fc9ff735a5efc479', true);
INSERT INTO users VALUES ('vijay',   'e555f863fb09593119fe2f3459e9783a', true);
INSERT INTO authorities VALUES ('sandeep', 'ROLE_ADMIN');
INSERT INTO authorities VALUES ('sandeep', 'ROLE_USER');
INSERT INTO authorities VALUES ('vijay',   'ROLE_USER');

Now we will change the applicationContext-security.xml of our login example, to configure JDBC.

Finally,we need the 'datasource.xml'. This is based on MySQL.

    
        
            com.mysql.jdbc.Driver
        
        
            jdbc:mysql://localhost:3306/test
        
        
            root
        
        
            sandeep
        
    

Using MD5 Encrypted Password in Spring Security

We need following changes in the applicationContext-security.xml of our login example,

<authentication-provider>
<password-encoder hash="md5"/>
        <user-service>
            <user name="sandeep" password="00f1de4e151ccfc1fc9ff735a5efc479" authorities="ROLE_ADMIN, ROLE_USER"/>
            <user name="vijay" password="e555f863fb09593119fe2f3459e9783a" authorities="ROLE_USER"/>
        </user-service>
</authentication-provider>

Here,"00f1de4e151ccfc1fc9ff735a5efc479" is the MD5 encryption for "swastik"
We can use http://md5encrypter.com/ to encrypt the password.