I have this controller
#Controller
#RequestMapping("/")
public class UserController {
#Autowired
private UserServices userServices;
public String em;
#GetMapping("/settings")
public String showProfilePage(Model model, #ModelAttribute User user){
em=user.getEmail();
model.addAttribute("user",user);
return "editprofile";
}
#PostMapping("/settings")
public String updateProfile(Model model,#ModelAttribute User user,BindingResult bindingResult,Principal principal){
if(bindingResult.hasErrors()){
return "/editprofile";
}
if(userServices.isUserPresentUpdate(user.getEmail(),em)){
model.addAttribute("exist",true);
return "/editprofile";
}
userServices.update(user);
return "redirect:/settings";
}
#GetMapping("/settings/password")
public String passwordEdit(Model model, #ModelAttribute User user){
model.addAttribute("user",user);
return "editprofilepassword";
}
#PostMapping("/settings/password")
public String passwordUpdate(#ModelAttribute User user, BindingResult bindingResult){
if(bindingResult.hasErrors()){
return "editprofilepassword";
}
userServices.updateHeslo(user);
return "redirect:/settings";
}
#ModelAttribute("user")
public User getUser() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
UserDetails userDetail = (UserDetails) auth.getPrincipal();
User u = userServices.findByEmail(userDetail.getUsername());
return u.getId() !=null ? userServices.findOne(u.getId()) : new User();
}
}
I'm looking for a method that changes principal name or any other solutions.
Every time I change the email in /settings, the email gets changed, but the principal name is still the same and it breaks.
Related
I have a UserController that receives a UserDTO and creates/updates the user in the DB. The problem I'm getting is that I also have a login, and when I insert the username and password on the login form, I always get the 'Wrong Password.' exception, despite the credentials being correctly inserted.
One thing I suspect is that BCrypt is to blame, since due to the fact that it generates random salt while encoding, maybe, just maybe, the cipher text ends up being different and stuff, which is weird, since I assume that it should work. I want to know how can I fix this problem of the hashing being different & not being able to validate the userCredentials
I have tried for example encoding the received password and using the matches method via my autowired passwordEncoder, and I'm using my own authProvider.
Here's the code, let me know if you need anything else.
CustomAuthProvider.java
#Service
public class CustomAuthProvider implements AuthenticationProvider {
private final UserServiceImpl userServiceImpl;
private final BCryptPasswordEncoder passwordEncoder;
#Autowired
public CustomAuthProvider(UserServiceImpl userServiceImpl, BCryptPasswordEncoder passwordEncoder) {
this.userServiceImpl = userServiceImpl;
this.passwordEncoder = passwordEncoder;
}
#Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = authentication.getName();
String password = authentication.getCredentials().toString();
UserDetails userDetails = userServiceImpl.loadUserByUsername(username);
if (!passwordEncoder.matches(password, userDetails.getPassword())) { //The problem is here evidently.
throw new BadCredentialsException("Wrong password.");
}
return new UsernamePasswordAuthenticationToken(userDetails, password, userDetails.getAuthorities());
}
#Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
Also, here's the loadUserByUsername method:
UserServiceImpl.java
#Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserDTO user = this.getUserByUsername(username);
User anUser = convertToUser(user);
ModelMapper modelMapper = new ModelMapper();
return modelMapper.map(anUser,UserPrincipal.class);
}
}
And here is the save method I use to save and update users, as well as the LoginController;
#Override
public void save(UserDTO user) {
User aUser = this.convertToUser(user);
aUser.setPassword(passwordEncoder.encode(aUser.getPassword()));
this.userRepository.save(aUser); }
LoginController.java:
#RestController
public class LoginController{
private final CustomAuthProvider providerManager;
#Autowired
public LoginController(CustomAuthProvider providerManager) {
this.providerManager = providerManager;
}
#GetMapping("/login")
public String login() {
return "login";
}
#PostMapping("/login")
public String login(#RequestParam("username") #NotBlank String username,
#RequestParam("password") #NotBlank String password, Model model) {
if(username == null || password == null) { //This is probably not necessary
model.addAttribute("error", "Invalid credentials");
return "login";
}
try {
Authentication auth = providerManager.authenticate(
new UsernamePasswordAuthenticationToken(username, password)
);
SecurityContextHolder.getContext().setAuthentication(auth);
return "redirect:/notes";
} catch (AuthenticationException e) {
model.addAttribute("error", "Invalid credentials");
return "login";
}
}
}
UserPrincipal.java
#Data
public class UserPrincipal implements Serializable , UserDetails {
int id;
private String username;
private String password;
private Date accountCreationDate = new Date();
#Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return null;
}
#Override
public boolean isAccountNonExpired() {
return false;
}
#Override
public boolean isAccountNonLocked() {
return false;
}
#Override
public boolean isCredentialsNonExpired() {
return false;
}
#Override
public boolean isEnabled() {
return false;
}
}
UserDTO.java
#Data
public class UserDTO implements Serializable {
int id;
private String username;
private String password;
private List<Note> notes = new ArrayList<>();
}
I read several issues related to this topic, like
Spring Boot PasswordEncoder.matches always false
Spring Security - BcryptPasswordEncoder
Inconsistent hash with Spring Boot BCryptPasswordEncoder matches() method
How can bcrypt have built-in salts?
Decode the Bcrypt encoded password in Spring Security to deactivate user account
but none of those helped me solve my issue and there was no real solution to the problem since most of them don't even have an accepted answer.
EDIT: Found out that the 'matches' method only works if I insert the hashed password, not the raw password.
Found out my mistake:
The setPassword method in the User class was re-hashing the hashed password which was already being hashed on the save method, thus the modelMapper.map() method used that setPassword method, therefore the passwords never matched and the password I got from the user class never matched the actual password I could see on my database.
hi i have a problem with my project (small blog site) that i can't handle for a while
that's my LoginController
'''
#Controller
#SessionAttributes("currentUser")
public class LoginController {
#Autowired
UserService userService;
#ModelAttribute("currentUser")
public User setUpUserForm() {
return new User();
}
#RequestMapping(value="/login",method = RequestMethod.GET)
public String showLoginPage() {
return "loginsite";
}
#RequestMapping(value="/login",method=RequestMethod.POST)
public String userLogin(#ModelAttribute("currentUser") User user,ModelMap model,#RequestParam String login,#RequestParam String password) {
if(userService.checkUserLoginData(login, password)==true) {
user=userService.getUserByLogin(login);
System.out.println("Logged in user");
System.out.println("ID:"+user.getUserId());
System.out.println("Login:"+user.getLogin());
System.out.println("Password:"+user.getPassword());
System.out.println("Email:"+user.getEmail());
return "welcomesite";
}else {
model.put("message", "Check your login and password ! ");
return "loginsite";
}
}
}
'''
that's my UserController
'''
#Controller
public class UserController {
#Autowired
UserService userService;
#RequestMapping(value="/",method = RequestMethod.GET)
public String posts() {
return "redirect:/posts";
}
#RequestMapping(value="/createaccount",method = RequestMethod.GET)
public String showRegisterPage() {
return "registrationpage";
}
#RequestMapping(value="/createaccount",method = RequestMethod.POST)
public String createAccount(ModelMap model,#RequestParam String login,#RequestParam String password,#RequestParam String email) {
userService.addUser(new User(login,password,email));
return "redirect:/login";
}
#RequestMapping(value="/login/accountsettings",method = RequestMethod.GET)
public String showAccountSettings(#SessionAttribute("currentUser") User user) {
System.out.println("amil"+user.getEmail());
return "userSettings";
}
#RequestMapping(params="update",value="/login/accountsettings",method = RequestMethod.POST)
public String updateAccountSettings(#SessionAttribute("currentUser") User user,#RequestParam String login,#RequestParam String password,#RequestParam String email) {
user=userService.updateUser(new User(login,password,email));
return "redirect:/login";
}
#RequestMapping(params="delete",value="/login/accountsettings",method = RequestMethod.POST)
public String deleteAccount(#RequestParam String login) {
userService.deleteUser(login);
return "redirect:/posts";
}
'''
i would like to pass user data after logging in to next pages for ex /login/accountsettings or even to have user id to add post with his id as a creator of this post. After logging in everythink is okay i have complete user data but when im tring to get them in /login/accountsettings User is empty(full of null values).what am I doing wrong?
output:
enter image description here
or I have a question, is there another better way to transfer user data until logging out?
Thanks for help!
I have a AuthenticationProvider with type userDetailsService as follow:
public class CustomUDS implements UserDetailsService {
#Override
public UserDetails loadUserByUsername(String clientId) throws UsernameNotFoundException, DataAccessException {
ClientDetails client=clientDetailsService.loadClientByClientId(clientId);
String password=client.getClientSecret();
boolean enabled=true;
boolean accountNonExpired=true;
boolean credentialsNonExpired=true;
boolean accountNonLocked=true;
List<GrantedAuthority> authorities=new ArrayList<GrantedAuthority>();
GrantedAuthority roleClient=new SimpleGrantedAuthority("ROLE_CLIENT");
authorities.add(roleClient);
return new User(clientId,password,enabled,accountNonExpired,credentialsNonExpired,accountNonLocked,authorities);
}
}
when user is logged and I use follow statement to fetch user's username, it returns string value of User class:
Object object = SpringSecurityContext.getcontext().getAuthentication.getPrinciple();
object value will be string
"org.springframework.security.core.userdetails.User#db343434: Username
...."
and I could not convert return object to User or UserDetails.
now, how can I access to user's username?
So try this to get username:
UserDetails userDetails = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
String name = userDetails.getUsername();
I'm working REST API right now with Jersey, Spring. Which shall be accessed with an Android/iOS later.
If I have for example user settings like this #Path("/user/{userID}/settings") in a Jersey Resource. How can i ensure that every user can access his/her settings only? I have read a lot about spring-security-oauth2. But as far as i understand you can only verify that the user is really the user but not make a difference if he/she can access other users settings?!
What you need is called authorization.
Authorization can distingush level of accesses of each users.
It's major topic actually. You can use roles, permissions, ACL for securing the service.
The simplest way for solving your task is to use path /user/settings and find the authentication yourseft, like:
public Settings find() {
UserDetails customUserDetails = (CustomUserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
return setingsService.findByUser(customUserDetails.getUsername());
}
Create your CustomUserDetails:
public class CustomUserDetails implements UserDetails {
private User user;
private Collection<? extends GrantedAuthority> authorities;
public CustomUserDetails(User user) {
this.user = user;
}
public User getUser() {
return user;
}
#Override
public Collection<? extends GrantedAuthority> getAuthorities() {
List<GrantedAuthority> authorities = new ArrayList<>();
for (Authority authority : user.getAuthorities()) {
authorities.add(new SimpleGrantedAuthority(authority.getName()));
}
return authorities;
}
#Override
public String getPassword() {
return user.getPassword();
}
#Override
public String getUsername() {
return user.getUsername();
}
// implement other methods
}
And CustomUserDetailsService:
#Service
public class CustomUserDetailsService implements UserDetailsService {
#Autowired
private UserService userService;
#Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userService.findByUsername(username);
// check if exist
}
return new CustomUserDetails(user);
}
}
I am using Spring Security in my application. I need loggedIn user details in the controllers of my application.
For that I am using this code
User loggedInUser = (User)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
But on running this code I get a classcastexception
java.lang.ClassCastException: org.springframework.security.core.userdetails.User cannot be cast to model.User
To fix this I referred to this article
Initially I used a CustomUserServiceDetails class
#Service("myUserDetailService")
#Transactional
public class CustomUserDetailsService implements UserDetailsService {
private static final Logger logger = Logger.getLogger(CustomUserDetailsService.class);
#Autowired
private UserDAO userDAO;
public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException, DataAccessException {
// returns the get(0) of the user list obtained from the db
User domainUser = userDAO.getUser(name);
logger.debug("User fetched from database in loadUserByUsername method " + domainUser);
Set<Role> roles = domainUser.getRole();
logger.debug("role of the user" + roles);
Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
for(Role role: roles){
authorities.add(new SimpleGrantedAuthority(role.getRole()));
logger.debug("role" + role + " role.getRole()" + (role.getRole()));
}
boolean credentialNonExpired = true;
return new org.springframework.security.core.userdetails.User(domainUser.getProfileName(), domainUser.getPassword(), domainUser.isAccountEnabled(),
domainUser.isAccountNonExpired(), credentialNonExpired, domainUser.isAccountNonLocked(),authorities);
}
}
But after referring to the article I removed the setting of GrantedAuthorities from here and moved it to my User class. Implemented spring-security UserDetails class in my User class
Now I have an extra property in my User class
#Entity
#Table(name = "user")
public class User implements UserDetails {
private Collection<GrantedAuthority> authorities;
with a setMethod
public void setAuthorities(Set<Role> roles) {
Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
for(Role role: roles){
authorities.add(new SimpleGrantedAuthority(role.getRole()));}
}
A. I am not sure how to map this property to the database. The existing User table schema doesn't contain a GrantedAuthority column besides It's not even a primitive type. I am using Hibernate for object mapping. Can anyone advice me the correct approach to obtain the user class info in the controllers?
B. I also considered the approach of extending the spring's User class and overloading the constructor of my User class. But then every time I initialize my User anywhere in the code I have to provide all the constructors parameters which is not good at all.
Instead of using
User loggedInUser = (User)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
try this
Authentication loggedInUser = SecurityContextHolder.getContext().getAuthentication();
String username = loggedInUser.getName();
References:
https://www.mkyong.com/spring-security/get-current-logged-in-username-in-spring-security/
Fixed the issue
Solution
Created a CustomUserDetail class which implements Spring's UserDetails interface. Injected my model User class in it.
public class CustomUserDetail implements UserDetails{
private static final long serialVersionUID = 1L;
private User user;
Set<GrantedAuthority> authorities=null;
public User getUser() {
return user;
}
public void setUser(User user) {
this.user = user;
}
public Collection<? extends GrantedAuthority> getAuthorities() {
return authorities;
}
public void setAuthorities(Set<GrantedAuthority> authorities)
{
this.authorities=authorities;
}
public String getPassword() {
return user.getPassword();
}
public String getUsername() {
return user.getProfileName();
}
public boolean isAccountNonExpired() {
return user.isAccountNonExpired();
}
public boolean isAccountNonLocked() {
return user.isAccountNonLocked();
}
public boolean isCredentialsNonExpired() {
return user.isCredentialsNonExpired();
}
public boolean isEnabled() {
return user.isAccountEnabled();
}
}
CustomUserServiceDetails
public class CustomUserDetailsService implements UserDetailsService {
#Autowired
private UserDAO userDAO;
public CustomUserDetail loadUserByUsername(String name) throws UsernameNotFoundException, DataAccessException {
// returns the get(0) of the user list obtained from the db
User domainUser = userDAO.getUser(name);
Set<Role> roles = domainUser.getRole();
logger.debug("role of the user" + roles);
Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
for(Role role: roles){
authorities.add(new SimpleGrantedAuthority(role.getRole()));
logger.debug("role" + role + " role.getRole()" + (role.getRole()));
}
CustomUserDetail customUserDetail=new CustomUserDetail();
customUserDetail.setUser(domainUser);
customUserDetail.setAuthorities(authorities);
return customUserDetail;
}
}
In my controller method
CustomUserDetail myUserDetails = (CustomUserDetail) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
Integer userId=myUserDetails.getUser().getUserId(); //Fetch the custom property in User class
The method .getPrincipal() returns the object created and returned it in the method loadUserByUsername.
If you want an User you must return in the method loadUserByUsername an User, not an org.springframework.security.core.userdetails.User