Programming User registration in web application Java Spring MVC

Question

I am building web application where i am building the first stage with user registration and login.

I am thinking of

class User 
{
    private userid;
    private firstname
    .........
    //getters and setters
}

class UserService {

    public boolean authenticate(username, password) {}
    public addUser()
    public saveuser()
    public ConfirmEmail()
    public resetPassword()
    ......

}

I have few questions

Is my approach correct?
Also i have diff function in front end and for backend admin user, so should i put all in one class or, i have to make diff for front end and backend?
As this is the most common thing which every organisation requires, so is it possible to find it from internet so that i can see how enterprise people approach this?

score 5 · Accepted Answer · edited May 23 '17 at 11:47

First thing, I'd look at whether you can use another authentication system like Google or Facebook, or Open ID (StackOverflow uses these and more).

Secondly, I'd look into using a security framework like Spring Security.

Finally, if you want/need to do it on your own from scratch, here are some pointers

Always store passwords using a 1-way hashing mechanism e.g. SHA
Use salt when hashing your password - you should have a random salt value per password (see this SO question for it's length)
You can also have a constant application-wide salt value that is not stored next to the password
Give the users roles. This will solve your front end/back end users problem

I'm assuming you're using a database. Here's an example schema (MySQL)

CREATE TABLE users (
  id INTEGER UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT
  mail VARCHAR(255) NOT NULL,
  name VARCHAR(255) NOT NULL,
  enc_password VARCHARCHAR(64) NOT NULL,
  salt CHAR(8) NOT NULL,
  is_mail_authenticated TINYINT(1) UNSIGNED NOT NULL DEFAULT 0,
  UNIQUE KEY (mail)
) ENGINE = InnoDB;

CREATE TABLE roles (
  id INTEGER UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT
  name VARCHAR(32) NOT NULL,
  UNIQUE KEY (name)
) ENGINE = InnoDB;

CREATE TABLE users_roles (
  user_id NTEGER UNSIGNED NOT NULL,
  role_id NTEGER UNSIGNED NOT NULL,
  FOREIGN KEY (user_id) REFERENCES users (id),
  FOREIGN KEY (roel_id) REFERENCES roles (id),
) ENGINE = InnoDB;

That'll do it for a very basic user model. You'll need a tool to generate your salt. I'd use randomAlphanumeric from Apache commons lang.

You may want to add some stuff to lock user accounts after too many failed login attempts. And you may want to track the IP with which they've logged in from. This is left as an exercise to the reader :)

I added the is_mail_authenticated field to track whether the user had authenticated their mail. This is usually accomplished by clicking a link from one's email.

Mukesh Singh Rathaur · Answer 2 · 2011-02-25T09:00:37.503

0

I think, Spring provides very good approach for creating user with role assignment and authenticating the user powerfully, and also maintaining the security or your application. No need to implement whole as our own application, you can use spring security. http://static.springsource.org/spring-security/site/start-here.html

Either you can create users by your own do the authentication using above security plugins.

edited Feb 25 '11 at 09:00

answered Feb 25 '11 at 05:26

Mukesh Singh Rathaur

11,323
2
21
24

1

Please don't recommend acegi. It's just an old and deprecated version of Spring Security 2.0.x. The current version of Spring Security is 3.0.x – Sean Patrick Floyd Feb 25 '11 at 07:19
Thanks for your suggestion i have changed my answer and removed the acegi security. – Mukesh Singh Rathaur Feb 25 '11 at 09:02

Programming User registration in web application Java Spring MVC

2 Answers2