I’m building a web application using Stripes and Spring. It needs to have a login/authentication feature. Right now I store user information separate from user credentials in the database. My User model does not contain the credentials as I don’t want to be passing around valuable passwords.

Spring manages all of my DAO’s.

Now, I am implementing a non-container based security system. I store the sha-2 hash of the password and perform a comparison on the password that was submitted in the form against what is stored in the database. This comparison has been tested and works. I’m trying to figure out how to wire this thing together. Right now I have a LoginActionBean that catches the login requests and uses a “PasswordService” singleton that uses a UserDAO internally to retrieve credentials and perform comparison against the parameters submitted. My spring bean is:

<bean id="passwordSerivce" class="com.example.store.authentication.PasswordService" factory-method="getInstance">
    <property name="userDAO" ref="userDAO"/>
</bean>

But it then the PasswordService singleton needs a:

public void setUserDAO(UserDAO userDAO) { ...}

method which doesn’t really make sense in a singleton (UserDAO is an interface).

I’m looking for a proper design. I’ve read that ServiceLocators are the very reason Spring was invented. Any thoughts?

I’d also like to know how else I can design this. I have an ActionBean that is called when the user clicks “Login”, but how do I actually authenticate. Do I inject the authentication service into the bean? Do i create a singleton that anyone can call? Do I have a generic interface that the LoginAcionBean uses which Spring injects? If I wasn’t using Spring, how would it be done?