Spring 6 Simplified: Creating Custom User Authentication with Spring Security And PostgreSQL By KodeSrc

Building Custom User Authentication with Spring Security and PostgreSQL in Spring 6

Securing your application is no longer just an optional feature—it’s a necessity. With cyber threats on the rise, ensuring the safety of your user data and restricting access to authorized users is paramount. Spring Security, the industry-leading security framework, simplifies the task of integrating authentication and authorization into Java applications. And when paired with the power of PostgreSQL, you get a secure and scalable foundation for managing user credentials and roles.

In this comprehensive, step-by-step guide, you’ll learn how to use Spring Security with PostgreSQL in Spring 6 to implement a fully customized user authentication system. Whether you're a beginner or looking to fine-tune your existing security setup, this guide will walk you through every aspect with clear explanations, optimized configurations, and code examples.

Table of contents:

• Introduction
• Why Choose Spring Security and PostgreSQL?

• Getting Started with the Setup

• Step 1: Create a New Spring Boot Project
• Step 2: Configure PostgreSQL

• Implementing Custom User Authentication

• Step 3: Define the User Entity
• Step 4: Create a User Repository
• Step 5: Implement Custom UserDetails
• Step 6: Build a Custom UserDetailsService
• Step 7: Configure Spring Security
• Testing and Next Steps
• Conclusion

---

Why Choose Spring Security and PostgreSQL?

The Power of Spring Security

Spring Security provides a robust and flexible way to secure your applications, offering features like:

• Authentication and Authorization: Simplify user login and control access based on roles.
• Customizability: Create bespoke authentication flows to fit unique business requirements.
• Protection: Guard against common vulnerabilities like CSRF, XSS, and session fixation attacks.

The Reliability of PostgreSQL

PostgreSQL complements Spring Security perfectly by:

• Storing and managing user data efficiently.
• Supporting scalability and reliability for production-ready applications.
• Providing advanced features like JSON support, which enables storing complex role structures.

Together, Spring Security and PostgreSQL offer a secure and scalable system tailored for modern web applications.

---

Getting Started with the Setup

Step 1: Create a New Spring Boot Project

Visit Spring Initializr and set up a project with the following dependencies:

• Spring Security
• Spring Data JPA
• Spring Web
• PostgreSQL Driver

Alternatively, add these dependencies to your pom.xml:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.postgresql</groupId>
        <artifactId>postgresql</artifactId>
    </dependency>
</dependencies>

---

Step 2: Configure PostgreSQL

To integrate PostgreSQL, configure your application.properties file:

spring.datasource.url=jdbc:postgresql://localhost:5432/your_database_name
spring.datasource.username=your_database_username
spring.datasource.password=your_database_password
spring.jpa.hibernate.ddl-auto=update

Replace your_database_name, your_database_username, and your_database_password with your PostgreSQL credentials.

---

Implementing Custom User Authentication

Step 3: Define the User Entity

Create an entity to map the users table in PostgreSQL.

import jakarta.persistence.*;

@Entity
@Table(name = "users")
public class User {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;

    @Column(nullable = false, unique = true)
    private String username;

    @Column(nullable = false)
    private String password;

    private boolean enabled;

    @Column(nullable = false)
    private String roles; // Example: "ROLE_USER,ROLE_ADMIN"

    // Getters and setters
}

This table will hold user details such as username, password, and roles.

---

Step 4: Create a User Repository

Use Spring Data JPA to create a repository for accessing and managing user data.

import org.springframework.data.jpa.repository.JpaRepository;
import java.util.Optional;

public interface UserRepository extends JpaRepository<User, Long> {
    Optional<User> findByUsername(String username);
}

---

Step 5: Implement Custom UserDetails

Map your User entity to Spring Security’s UserDetails interface.

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.Collection;
import java.util.stream.Collectors;
import java.util.stream.Stream;

public class CustomUserDetails implements UserDetails {

    private final User user;

    public CustomUserDetails(User user) {
        this.user = user;
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return Stream.of(user.getRoles().split(","))
                     .map(SimpleGrantedAuthority::new)
                     .collect(Collectors.toList());
    }

    @Override
    public String getPassword() {
        return user.getPassword();
    }

    @Override
    public String getUsername() {
        return user.getUsername();
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return user.isEnabled();
    }
}

---

Step 6: Build a Custom UserDetailsService

Use the UserRepository to fetch user details for authentication.

import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

@Service
public class CustomUserDetailsService implements UserDetailsService {

    private final UserRepository userRepository;

    public CustomUserDetailsService(UserRepository userRepository) {
        this.userRepository = userRepository;
    }

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        return userRepository.findByUsername(username)
                             .map(CustomUserDetails::new)
                             .orElseThrow(() -> new UsernameNotFoundException("User not found: " + username));
    }
}

---

Step 7: Configure Spring Security

Set up the security configuration using the modern SecurityFilterChain approach in Spring 6.

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SecurityConfig {

    private final CustomUserDetailsService userDetailsService;

    public SecurityConfig(CustomUserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/login", "/register").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin()
            .and()
            .logout().permitAll();

        return http.build();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
        authProvider.setUserDetailsService(userDetailsService);
        authProvider.setPasswordEncoder(passwordEncoder());
        return authProvider;
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
        return config.getAuthenticationManager();
    }
}

---

Testing and Next Steps

Test the system by adding sample users to PostgreSQL and logging in with their credentials. Once verified, you can extend the functionality with:

• JWT Authentication for APIs.
• OAuth2 for third-party login options.
• Advanced Role-Based Access Control.

---

Conclusion

Combining Spring Security with PostgreSQL in Spring 6 allows you to build a secure, scalable, and customizable user authentication system. This integration ensures your application is well-protected while offering flexibility to adapt to growing needs.

Now that you have a robust foundation, take it further—explore advanced configurations, experiment with new features, and make your application truly secure and user-friendly. Your users will thank you for it!

Also see: How Spring Security Filters Works Internally and Some Real Life Use cases here.