Friday 7 December 2012

Getting Started With Spring Security

Posted by Naveen Katiyar On 10:49 No comments

Getting Started With Spring Security

Spring Security is a security framework for authentication, authorization and role based authorization of the users.Spring Security Framework provides a lot of facilities to take care of the java web enterprise security management. Its really great security framework that work with Spring IoC or DI to inject the dependencies and securing the java web application.
Following are the some of the important facilities that Spring Security Framework provides to it’s users:
  • User authentication and authorization.
  • Role based authorization control.
  • Easy to configure with database based authentication and authorization.
  • Encrypted password.
  • Form authentication.
  • File bases user authentication and authorization.
  • and a lot more.
This tutorial will show you the way to configure Spring Security with Spring MVC web application to secure mvc pages. We will take an spring mvc web application example in which, we will configure Spring Security to protect a page from outside access.
Tools used :
  • Spring MVC 3.0.3
  • Spring Security 3.0.5
  • Eclipse Indigo 3.7
  • Tomcat 6
  • Jdk 1.6
To understand the example you will need to have prior knowledge of Spring MVC. If you do not know the basics of Spring MVC the go to our Spring MVC Tutorial.

In our example, there is an example of welcome page that is managed by Spring MVC framework. We will configure Spring Security in this example and will make the welcome page secure. User have to authenticate herself to view welcome page.

 Configuring web.xml for Spring Security  

<?xml version="1.0" encoding="UTF-8"?>

<b:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:b="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
   
    <http realm="Project Realm" auto-config="true">
        <intercept-url pattern="/**" access="ROLE_ADMIN"/>
    </http>

    <authentication-manager>
        <authentication-provider>
            <password-encoder hash="md5"/>
              <user-service>
                  <user name="admin" password="21232f297a57a5a743894a0e4a801fc3" authorities="ROLE_ADMIN"/>
              </user-service>
        </authentication-provider>
    </authentication-manager>
   
</b:beans>

In web.xml, we have configured Spring MVC to manage the request came for the URL “*.htm”. For configuring Spring Security we do the following :
  1. First of all, we have to register org.springframework.web.filter.DelegatingFilterProxy filter in web.xml. This filter manages the securing of the web pages.
  2. The filter will manage the requested URL “/*”. That means all the requests will go through the filter so that it can authenticate the user of particulate web pages that we will configured as secured pages with Spring Security.
  3. Register org.springframework.web.context.ContextLoaderListener listener provided in Spring so that it can configure spring context on server startup.
Creating home page (index.jsp)

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<jsp:forward page="/welcome.htm"></jsp:forward>




Creating welcome page (welcome.jsp)


<%@ page session="true" %>
<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c"%>
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Configuring Spring Security 3 - This is a secure page</title>
        <meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
    </head>
    <body>
        <h1>Welcome!</h1><br />
        ${HelloMessage}<br />
    </body>
</html>

 Our welcome page is very simple that only shows a message that is stored in model object. The message is  provided by the controller class.

Creating Welcome Controller class (WelcomeController.java)  

package com.naveen.actions;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class WelcomeController {
@RequestMapping(value="/welcome",method=RequestMethod.GET)
public ModelAndView sayHello(Model model){
ModelAndView mv = new ModelAndView();
mv.setViewName("welcome");
model.addAttribute("HelloMessage", "Hello World from Spring Security application.");
return mv;
}
} 













As you can see annotation driven configuration has been used to make WelcomeController class as a controller and the sayHello method will manage the request for /welcome url.







Spring Securing Configuration file (spring-securily.xml)







After that we will have to create a Spring Security Configuration file, in which have to define the security constrains that are to be applied to our application. You will see a lot of new things in this file. I will explain all the tags one by one make the things clear to you.






	





<?xml
version="1.0" encoding="UTF-8"?>



<!--



  -
Application context containing authentication, channel



  -
security and web URI beans.



  -



  -
Only used by "filter" artifact.



  -



  -->







<b:beans
xmlns="http://www.springframework.org/schema/security"



   
xmlns:b="http://www.springframework.org/schema/beans"



   
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"



   
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd



      
                 http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">







    




   
<http realm="Project
Realm" auto-config="true">



      
 <intercept-url pattern="/**"
access="ROLE_ADMIN"/>



   
</http>







   
<authentication-manager>



      
 <authentication-provider>



      
 	<password-encoder
hash="md5"/>



      
   	<user-service>



      
   		<user name="admin"
password="21232f297a57a5a743894a0e4a801fc3"
authorities="ROLE_ADMIN"/>



      
   	</user-service>



      
 </authentication-provider>



   
</authentication-manager>



    




</b:beans>










    

  1. <http/> tag is used to define security setting for web application for defining access constrains for pages, defining login pages, login process to use, activate remember me option, customizing session level setting etc. Here we have used only one option i.e.  <intercept-url pattern=“/**” access=“ROLE_ADMIN”/>. <intercept-url/> tag is used to define url patterns to be secure and the definition of the roles who can access them.  In our example all url patters are secured and only user with role ROLE_ADMIN can access the pages.
    2. 

  2. <authentication-manager/> tag is used to define method of authentication of the user on the basis of that user will be able to access a page.
    3. 

  3. <authentication-provider/> tag specifies the username and password provider. It can be also a database table. Here we have used hard coded username and password. Password is encrypted in md5 algorithm.
    4. 




Spring Configuration File (spring-servlet.xml) 




	





<beans
xmlns="http://www.springframework.org/schema/beans"



	xmlns:context="http://www.springframework.org/schema/context"



	xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"



	xsi:schemaLocation="



      
 http://www.springframework.org/schema/beans
    




      
 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd



      
 http://www.springframework.org/schema/context





      
 http://www.springframework.org/schema/context/spring-context-3.0.xsd



      
 http://www.springframework.org/schema/mvc



      
 http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">







	<context:component-scan
base-package="com" />



	<mvc:annotation-driven
/>



	



	



	<bean
id="viewResolver"



		class="org.springframework.web.servlet.view.InternalResourceViewResolver">



		<property
name="prefix" value="/WEB-INF/jsp/"
/>



		<property
name="suffix" value=".jsp" />



	</bean>







	



</beans>

















That’s All Folks



The application is completed now. Just run the application in eclipse by
pression Alt + Shift + X, R. It will show the login page. 



You would be thinking from where this login page has come,when we have not created any.THis login pagfe is provided by spring security.



WE will learn in another example about how to customize the login form.



Download Source Code



Click here to download source code 



 
















































0
comments:
        












Post a Comment








        

      









Subscribe to:
Post Comments (Atom)
















Popular Posts




    

  • 

    

    Xuggler
    

       Merging Two Video Files  For merging two video files in java,we are using xuggler api.This api is platform depend so we need to include d...
    

    

    

    • 

  • 

    

    Spring Security with Custom Tables
    

      Using custom tables for spring security authentication and authorization  It is not must to use database tables specified in the Spring  S...
    

    

    

    • 

  • 

    

    




    

    Introducing Spring Webflux
    

      In this article we are going to discuss on different choices which are provided by Spring 5 for Reactive and Async Concurrency model.I qui...
    

    

    

    • 

  • 

    

    




    

    Introducing Servlet 4.0 Server Push
    

      In this article, We would be talking about Server Push Technology which was actually part of HTTP/2 spec.   Most important feature of Serv...
    

    

    

    • 

  • 

    

    Servlet 3.1/Spring MVC Non Blocking IO
    

      Servlet 3.0 was released as part of Java EE 6 and made huge changes focused   at ease-of-use.The idea was to leverage the latest language ...
    

    

    

    • 

  • 

    

    Initializing a Spring IoC Bean
    

       Using Initialization method to initialize a Spring IoC Bean  With the previous tutorial, you know the process of registering a bean  clas...
    

    

    

    • 

  • 

    

    




    

    Server to Servlet/Spring - Servlet Async 
    

      Server to Servlet/Spring and vice versa(Async Support)   In previous article , we discussed how Servlet Containers has evolved and turned ...
    

    

    

    • 

  • 

    

    




    

    RESTfull API Server-The way it should be (Part-1)
    

    It is 2012 now and increasingly, more and more websites are offering native iOS and Android clients as front ends to their service. Not all ...
    

    

    

    • 

  • 

    

    Spring IoC Constructor Injection
    

      Spring IoC Constructor Value Injection  Spring IoC Constructor Value Injection  is a method  of constructor injection in which the value o...
    

    

    

    • 

  • 

    

    Spring IoC Setter Injection
    

      Spring IoC setter value injection   We will learn the process of setting property values of a bean using Spring IoC Setter Value Injection...
    

    

    

    • 










Powered by Blogger.