How to move username/passwords out of spring-security-context.xml?

Question

I am using Spring Security in one of my project. The web-app requires the user to login. Hence I have added few usernames and passwords in the spring-security-context.xml file as follows:

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="user_1" password="password_1" authorities="ROLE_USER" />
            <user name="user_2" password="password_2" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>

My question is, how to move these username-password pairs to a different file (like some properties file) instead of keeping them in spring-security-context.xml? And how to read that file properties file?

score 15 · Answer 1 · answered Jun 17 '12 at 23:43

You can store the usernames and passwords in a separate .properties file.

<user-service id="userDetailsService" properties="users.properties"/>

users.properties should have the following format:

jimi=jimispassword,ROLE_USER,ROLE_ADMIN,enabled
bob=bobspassword,ROLE_USER,enabled

If you want to store it in a database, I would recommend you to read this article: http://www.mkyong.com/spring-security/spring-security-form-login-using-database/

Reference: Spring Security In-Memory Authentication

score 2 · Answer 2 · answered Jun 17 '12 at 23:34

2

You can use the PropertyPlaceholderConfigurer - put them in properties file and then reference them using EL:

http://static.springsource.org/spring/docs/3.1.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconfigurer

answered Jun 17 '12 at 23:34

nickdos

8,348
5
30
47

score 1 · Answer 3 · answered Jun 17 '12 at 22:06

1

You can find a way to move them to a database or LDAP. Spring Security surely supports both.

answered Jun 17 '12 at 22:06

duffymo

305,152
44
369
561

Any link/example? Sorry, I am pretty much new to Spring. – Bhushan Jun 17 '12 at 22:23

score 1 · Answer 4 · edited Jun 12 '14 at 11:10

I have tried the suggested ways lastly I did the following seemed to work nicely

Added these changes in your web xml

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> 

<servlet-mapping>
<servlet-name>service</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Add these changes in your spring-security xml

<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="${resource.service.authentication.name}"
authorities="${resource.service.authentication.authorities}"
password="${resource.service.authentication.password}"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>

Add these changes into your application context xml or if you have property-loader xml even better

<bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="placeholderPrefix" value="${" />
<property name="placeholderSuffix" value="}" />
<property name="locations">
<list>
<value>classpath:resourceservice.properties</value>
</list>
</property>
</bean>

Then Add these changes in your property file resourceservice.properties

memberservice.authentication.name=usename
memberservice.authentication.authorities=AUTHORISED
memberservice.authentication.password=password

Add these changes in you resource that uses Jersey

@PUT
@Path("{accountId}")
@Consumes("application/xml")
@PreAuthorize("hasRole('AUTHORISED')")
public Response methodName

score 0 · Answer 5 · edited Oct 24 '14 at 18:21

This works for me for Spring security authentication and authorization using Properties file:

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"

    xsi:schemaLocation="
        http://www.springframework.org/schema/beans     
        http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context-3.2.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <mvc:annotation-driven />

    <bean id="webPropertyConfigurer"
        class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="ignoreResourceNotFound" value="true" />
        <property name="ignoreUnresolvablePlaceholders" value="true" />
        <property name="locations">
            <list>
                <value>classpath:abc.properties</value>
            </list>
        </property>
    </bean>

    <bean
        class="org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor" />

    <security:http auto-config="true" use-expressions="true">
        <security:intercept-url pattern="/stat/login" access="permitAll"/>
        <security:intercept-url pattern="/stat/summary" access="hasRole('ROLE_ADMIN')" />

        <security:form-login login-page="/stat/login"
            default-target-url="/stat/summary" authentication-failure-url="/stat/loginError" /> 
    </security:http>
    <!-- Username and password used from xml -->
    <!-- <security:authentication-manager>
        <security:authentication-provider>
            <security:user-service>
                <security:user name="xyz" password="xyz" authorities="ROLE_ADMIN" />
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager> -->

    <security:authentication-manager>
        <security:authentication-provider>
             <security:user-service>
        <security:user name="${stat.user}" password="${stat.pwd}" authorities="ROLE_ADMIN" />
        </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager> 
</beans>

The abc.properties file:

stat.user=xyz
stat.pwd=xyz

The web.xml entry for spring-security implementation:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

score 0 · Answer 6 · answered Nov 06 '20 at 10:50

You can simply add Bean inside your Spring Security Configuration :

@Bean
public UserDetailsService userDetailsService() {
   Properties users = PropertiesLoaderUtils.loadAllProperties("users.properties");
   return new InMemoryUserDetailsManager(users);
}

and users.properties looks like :

admin={noop}password,ROLE_USER,ROLE_ADMIN,enabled
bob={noop}password,ROLE_USER,enabled
123={noop}123,ROLE_USER,enabled

How to move username/passwords out of spring-security-context.xml?

6 Answers6

Linked

Related