How can I add newly signed up user in the Spring boot security config?

Question

I am working Spring-Boot, Spring Security with basic Authentication. I will send login url from my client application written in AngularJS via RESTful API call.

Everything works as expected. All the users in the DB configured in the SecurityConfiguration.java as below.

@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {

    List<User> users = userService.getUsers();
    for (User user : users) {
        auth.inMemoryAuthentication().withUser(user.getUserName()).password(user.getPassword())
                .roles(user.getRole().getName());
    }
}

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.csrf().disable().authorizeRequests().antMatchers("/server/rest/secure/**")
    .hasRole("ADMIN").and()
            .httpBasic().realmName(REALM).authenticationEntryPoint(getBasicAuthEntryPoint());
}

@Bean
public CustomBasicAuthenticationEntryPoint getBasicAuthEntryPoint() {
    return new CustomBasicAuthenticationEntryPoint();
}

CustomBasicAuthenticationEntryPoint.java

import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;

public class CustomBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint {

@Override
public void commence(final HttpServletRequest request, 
        final HttpServletResponse response, 
        final AuthenticationException authException) throws IOException, ServletException {

    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    response.addHeader("WWW-Authenticate", "Basic realm=" + getRealmName() + "");

    PrintWriter writer = response.getWriter();
    writer.println("HTTP Status 401 : " + authException.getMessage());
    response.setHeader("WWW-Authenticate", "FormBased");
    response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
}

@Override
public void afterPropertiesSet() throws Exception {
    setRealmName("MY_TEST_REALM");
    super.afterPropertiesSet();
}
}

So If I signup a new user which will inserted in the DB but not added in the above implementation. So authentication fails.

How can refresh the above implementation whenever i'm and doing signup of a new user

Answer 1

When doing authentication with db, you should do the following:

@Service("userDetailsService")
@Transactional
public class MUserDetailService implements UserDetailsService {

    @Autowired
    AppUserDao appUserDao;

    @Override
    public UserDetails loadUserByUsername(final String appUserName) throws UsernameNotFoundException {

        AppUser appUser = appUserDao.findByName(appUserName);
        if (appUser == null) throw new UsernameNotFoundException(appUserName);
        else{
            return new User(appUser.getUsername(),appUser.getPassword(),appUser.getActive(),true,true,true,getGrantedAuthorities(appUser));
        }
    }

    private List<GrantedAuthority> getGrantedAuthorities(AppUser appUser){
        List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();

        for (Authority authority : appUser.getAuthorities()){
            authorities.add(new SimpleGrantedAuthority(authority.getAuthorityName()));
        }
        return authorities;
    }
}

and then define SecurityConfiguration as follows:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{

    @Autowired
    @Qualifier("userDetailsService")
    UserDetailsService userDetailsService;


    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
    }
}