Database as a Data Source for Authentication

A database table is used as data source for the access data.

  • Name of the database table - The table name can be chosen freely, usually USER.
  • Required fields - The following data fields are obligatory: 

    Required fieldsData typeExplanation
    USERNAMEStringSaves the username   as a string.
    PASSWORDbyte[]Saves the password as a byte array, usually encrypted.
  • Data structure generated by RapidClipse 

    • Entities

      AttributeData typeExplanation
      usernameStringSaves the username as a string.
      passwordbyte[]Saves the password as a byte array, usually encrypted.
    • Data Access

      • UserDAO

      • RoleDAO

      • ResourceDAO

  • Additional data fields - If required, the USER table can also include other data fields, since they are not relevant for authentication. Frequently used information about a user include e-mail, status (enabled or disabled), image, time zone, last session, IP address, URL for a log file, etc.
  • Dealing with an existing  USER table -  If you already have a table for managing users in your database, make sure that there is an appropriate entity with corresponding DAO in your Project Management in Entities or Data Access. If not, you can generate the missing entity and DAO with the Create JPA entities from table import function. Different table and field names are no problem because the mapping is performed later. 

  1. User Entity already exists - Select your existing User entity.
    No User Entity available yet - Click New Entity... to create a new User entity, including the UserDAO DAO. 
  2. Select the attribute for the username under Mapping > Username.
  3. Select the attribute for the password under Mapping > Password.
  4. Select the encryption algorithm for the password under Settings > Password hashing strategy, e.g. PBKDF2WithHmacSHA1.
  5. Click Finish.

Go to authorize

Create database table USER - A corresponding table has to be created for the new User entity in the USER database. For this, RapidClipse offers an export feature.

Options:
  • Mapping

    • Username - Selection of the attribute for the user name. 

    • Password - Selection of the attribute for the password. 

  • Password hashing strategy
    • MD5 - The message digest algorithm is a hash function that creates a 128-bit hash value from a password. However, this is no longer considered secure.

      // Example RapidClipse
      cb9086f37a2e96bd5e4507f869888261
    • SHA1 - The Secure Hash Algorithm 1 is a hash function that creates a 160-bit hash value from a password. 

      // Example RapidClipse
      64d88c018c7ced7e248e42b48593bd82c5e80ef2
    • SHA2 - The Secure Hash Algorithm 2 is the currently recommended standard for SHA that creates a 224-, 256-, 384- or 512-bit hash value from a password.

      // Example RapidClipse
      eafa795b8ffea05d1c8a7d5142bd4dd50fea3dd447f3585071e5c8b2ef525cef
    • PBKDF2WithHmacSHA1 - Combination of PBKDF2, HMAC and SHA1 which creates a 160-bit hash value. PBKDF2 (Password-Based Key Derivation Function 2) is a standardized function for deriving a key from a password and is often used for password-based authentication. HMAC (Keyed-Hash Message Authentication Code) is a Message Authentication Code (MAC), the construction of which is based on a cryptographic hash function. SHA1 - is a hash function that creates a password from a 160-bit hash value.

      // Example RapidClipse
      eafa795b8ffea05d1c8a7d5142bd4dd50fea3dd447f3585071e5c8b2ef525cef
Result:
  • Project Management > Entities - The User.java entity class is created with the attribute username of the type string and the attribute password of the type byte[] or by selecting an existing entity. 

    EntityAttributeData typeExplanation
    UserusernameStringSaves the username as a string.
    passwordbyte[]Saves the password, usually encoded as a byte array.
  • Project Management > Data Access - The UserDAO.java DAO class is generated. When selecting existing entities no new DAO is generated. 

  • Project Management > Business Objects - The ExampleAuthenticationProvider.java class is generated.

    package com.company.example.business;
    
    import com.company.example.entities.User;
    import com.xdev.security.authentication.Authenticator;
    import com.xdev.security.authentication.AuthenticatorProvider;
    import com.xdev.security.authentication.CredentialsUsernamePassword;
    import com.xdev.security.authentication.jpa.JPAAuthenticator;
    import com.xdev.security.authentication.jpa.HashStrategy.PBKDF2WithHmacSHA1;
    
    public class ExampleAuthenticationProvider
    		implements AuthenticatorProvider<CredentialsUsernamePassword, CredentialsUsernamePassword> {
    	private static ExampleAuthenticationProvider INSTANCE;
    
    	public static ExampleAuthenticationProvider getInstance() {
    		if (INSTANCE == null) {
    			INSTANCE = new ExampleAuthenticationProvider();
    		}
    
    		return INSTANCE;
    	}
    
    	private JPAAuthenticator authenticator;
    
    	private ExampleAuthenticationProvider() {
    	}
    
    	@Override
    	public Authenticator<CredentialsUsernamePassword, CredentialsUsernamePassword> provideAuthenticator() {
    		if (this.authenticator == null) {
    			this.authenticator = new JPAAuthenticator(User.class);
    			this.authenticator.setHashStrategy(new PBKDF2WithHmacSHA1());
    		}
    
    		return this.authenticator;
    	}
    }
Example:
  • Save encrypted password

    String password = this.passwordField.getValue();
    byte[] encryptedPassword = new HashStrategy.SHA2().hashPassword(pw.getBytes());
    
    User user = new User();
    user.setPassword(encryptedPassword);
    
    try {
    	new UserDAO().save(user);
    } catch (Exception e) {
    	// TODO: handle exception
    }
Note:
  • Save password and edit -  Forms are commonly used for both storing and editing data. However, for storing and editing passwords, you need to create different forms. When saving, the password is entered into the database table encrypted so that you will always receive an encrypted password during reading access. Re-saving would encrypt the already encrypted password again and thus it would be invalid.
  • Enter passwords in the database manually