Database as data source for authentication

This continues the Wizard to create an Authentication Provider

A database table is used as the data source for the access data.

  • Name of the entity - The entity name can be freely chosen, usually User.

  • Mandatory fields - The following data fields must be present:

    mandatory fields data type explanation

    Username

    String

    Saves the user name as a string.

    Password

    byte[]

    Saves the password as a byte array, usually encrypted.

  • Data structure generated by RapidClipse.

    • Entity

      • User

        Attributes

        Data type

        Explanation

        username

        String

        Saves the user name as a string.

        password

        byte[]

        Saves the password as a byte array, usually encrypted.

    • Data Access

      • UserDAO

  • Other data fields - The USER table can also contain other data fields if required, as these are not relevant for authentication. Frequently required information about a user includes email, status (enabled or disabled), photo, time zone, last session, IP address, URL to a log file, etc.

    • Dealing with existing USER table - If a table for managing users already exists in your database, make sure that a corresponding entity with associated DAO exists for it in your Project Management under Entities or Data Access. If not, you can import the missing entity and DAO with the import function Create JPA entities from table. Different table and data field names are not a problem due to the mapping performed later.

Wizard

.1. User Entity

  1. Select or create User Entity

    1. User Entity already exists - Select your existing User entity.

    2. No User Entity exists yet - Click on New Entity…​ to create a new entity User including DAO UserDAO.

  2. At Mapping > Username, select the attribute for the user name.

  3. Select the attribute for the password at Mapping > Password.

  4. At Settings > Password hashing strategy select the encryption algorithm for the password, e.g. PBKDF2WithHmacSHA1.

  5. Click Finish.

    Image not found

When the entity User was generated, a corresponding table USER must be created in the database. RapidClipse offers an export function for this purpose.

Options

  • Mapping

    • Username - selection of the attribute for the user name.

    • Password - selection of the attribute for the password.

  • Settings

    • Password hashing strategy

      • MD5 - Message Digest Algorithm is a hash function that generates a 128-bit hash value from a password. However, it is no longer considered secure.

        // Example RapidClipse
cb9086f37a2e96bd5e4507f869888261

      • SHA1 - Secure Hash Algorithm 1 is a hash function that generates a 160-bit hash value from a password.

        // Example RapidClipse
64d88c018c7ced7e248e42b48593bd82c5e80ef2

      • SHA2 - Secure Hash Algorithm 2 is the current recommended standard for SHA, which generates a 224-, 256-, 384- or 512-bit hash value from a password.

        // Example RapidClipse
eafa795b8ffea05d1c8a7d5142bd4dd50fea3dd447f3585071e5c8b2ef525cef

      • PBKDF2WithHmacSHA1 - combination of PBKDF2, HMAC and SHA1 that generates a 160-bit hash value. PBKDF2 (Password-Based Key Derivation Function 2) is a standardized function for deriving a key from a password and is often used for password-based authentication. HMAC (Keyed-Hash Message Authentication Code) is a Message Authentication Code (MAC) whose construction is based on a cryptographic hash function. SHA1 is a hash function that generates a 160-bit hash value from a password.

        // Example RapidClipse
eafa795b8ffea05d1c8a7d5142bd4dd50fea3dd447f3585071e5c8b2ef525cef

Result

  • Project Management > main-java > domain - The entity class User.java with the attributes username of type string and password of type byte[] is generated or an already existing entity is used by selection.

    Entity

    Attributes

    Data type

    Explanation

    User

    username

    String

    Saves the user name as a string.

    password

    byte[]

    Saves the password, usually encrypted as a byte array.

  • Project Management > main-java > dal - The DAO class UserDAO.java is generated. If an already existing entity is selected, no new DAO will be generated.

  • Project Management > main-java - A new AuthenticationProvider class is generated.

    package com.company.demoproj;

import com.company.demoproj.domain.User;
import com.rapidclipse.framework.security.authentication.Authenticator;
import com.rapidclipse.framework.security.authentication.AuthenticatorProvider;
import com.rapidclipse.framework.security.authentication.CredentialsUsernamePassword;
import com.rapidclipse.framework.security.util.PasswordHasher;
import com.rapidclipse.framework.server.security.authentication.jpa.JPAAuthenticator;


public class MyAuthenticationProvider
    implements AuthenticatorProvider<CredentialsUsernamePassword, CredentialsUsernamePassword>
{
    private static class InitializationOnDemandHolder
    {
        final static MyAuthenticationProvider INSTANCE = new MyAuthenticationProvider();
    }

    public static MyAuthenticationProvider getInstance()
    {
        return InitializationOnDemandHolder.INSTANCE;
    }

    private final PasswordHasher passwordHasher = PasswordHasher.Pbkdf2withHmacSha1();
    private JPAAuthenticator     authenticator;

    private MyAuthenticationProvider()
    {
    }

    @Override
    public Authenticator<CredentialsUsernamePassword, CredentialsUsernamePassword> provideAuthenticator()
    {
        if(this.authenticator == null)
        {
            this.authenticator = new JPAAuthenticator(User.class);
            this.authenticator.setPasswordHasher(getPasswordHasher());
        }

        return this.authenticator;
    }

    public PasswordHasher getPasswordHasher()
    {
        return this.passwordHasher;
    }
}

Note

Save and edit password - Forms are commonly used for both saving and editing data. However, you need to create different forms for saving and editing passwords. This is because when you save, the password is written to the database table in encrypted form, so you will always get an encrypted password when you read it. Saving again, would encrypt the already encrypted password a second time and thus make it invalid.

Example: Save password encrypted.

image not found

final String         password          = this.passwordField.getValue();
final PasswordHasher passwordHasher    = MyAuthenticationProvider.getInstance().getPasswordHasher();
final byte[]         encryptedPassword = passwordHasher.hashPassword(password.getBytes());

final User user = new User();
user.setPassword(encryptedPassword);

new UserDAO().save(user);