Scribd
Upload
165 views

Spring Security: Authentication Authorization

Spring Security provides authentication and authorization services for Java web applications. It supports authentication through verifying a user's identity and authorization through defining what authenticated users are allowed to access. Developers configure Spring Security by registering a DelegatingFilterProxy in web.xml which delegates security filtering to a Spring security configuration file that defines authentication and authorization rules.

Uploaded by

satya narayana murthy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
165 views

Spring Security: Authentication Authorization

Spring Security provides authentication and authorization services for Java web applications. It supports authentication through verifying a user's identity and authorization through defining what authenticated users are allowed to access. Developers configure Spring Security by registering a DelegatingFilterProxy in web.xml which delegates security filtering to a Spring security configuration file that defines authentication and authorization rules.

Uploaded by

satya narayana murthy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Spring Security

Sunday, August 27, 2017 11:32 AM

Spring Security provides comprehensive security services for J2EE-based enterprise software application. It is powerful , flexible and
pluggable.

Spring supports majorly two operations.

1. Authentication
2. Authorization

Authentication (Prove who you say you are!) - process of establishing a principal.

Authorization (We know who you are but are you allowed to access what you want) - process of deciding whether a principal is allowed
to perform an action (admin,leader,member)

DelegatingFilterProxy:

Step 1: Register springSecurityFilterChain with war file

-> DelegatingFilterProxy is an implementaion of the javax.servlet.Filter which is provided by Spring Framework.


-> Once you define DelegatingFilterProxy in web.xml, you can declare the actual beans that do the filtering in actual spring
application.

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.spring.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/</url-pattern>
</filter-mapping>

Step 2: Add Spring Security File in war file.

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

<http auto-config="true" >


<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/home" access="permitAll" />
<intercept-url pattern="/admin**" access="hasRole('ADMIN')" />
<intercept-url pattern="/dba**" access="hasRole('ADMIN') and hasRole('DBA')" />
<form-login authentication-failure-url="/Access_Denied" />
</http>

<authentication-manager >
<authentication-provider>

SpringSecurity Page 1
<authentication-provider>
<user-service>
<user name="bill" password="abc123" authorities="ROLE_USER" />
<user name="admin" password="root123" authorities="ROLE_ADMIN" />
<user name="dba" password="root123" authorities="ROLE_ADMIN,ROLE_DBA" />
</user-service>
</authentication-provider>
</authentication-manager>

</beans:beans>

Step 3 : Add the following spring security libraries to project build path.

1. spring-security-config-4.X.RELEASE.jar
2. spring-security-core-4.X.RELEASE.jar
3. spring-security-web-4.X.RELEASE.jar

Graphical Representation of Filter Proxy:


Spring Security Architecture:

Filter

SpringSecurity Page 2
Development steps:

1. Configure DelegatingFilterProxy in web.xml

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-clas>org.sf.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-patter>/</url-patter>
</filter-mapping>

Annotation approach

public class SecurityWebAppInit extends AbstractSecurityWebApplicationInitializer


{
}
2. Develop spring security file

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

<http auto-config="true" >


<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/home" access="permitAll" />
<intercept-url pattern="/admin**" access="hasRole('ADMIN')" />
<intercept-url pattern="/dba**" access="hasRole('ADMIN') and hasRole('DBA')" />
<form-login authentication-failure-url="/Access_Denied" />
</http>

<authentication-manager >
<authentication-provider>
<user-service>
<user name="bill" password="abc123" authorities="ROLE_USER" />
<user name="admin" password="root123" authorities="ROLE_ADMIN" />
<user name="dba" password="root123" authorities="ROLE_ADMIN,ROLE_DBA" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>

Annotation Approach :

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("abc").password("abc").roles("USER");
auth.inMemoryAuthentication().withUser("dba").password("dba").roles("DBA");
auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");
}

public void configure(HttpSecurity http) throws Exception {


http.authorizeRequests().antMatchers("/", "/home").permitAll().antMatchers("/dba**").access("hasRole('DBA)")
.antMatchers("/admin**").access("hasRole('ADMIN')");
}
}

Step 3: Configure DispatcherServlet in web.xml

Step 4: Develop Spring Configuration file to define Controller, ViewResolvers.

SpringSecurity Page 3
Filter

Filter

Filter

Dispatcher Servlet Authentication Security


Manager Context

Controller Controller Controller


Delegates

Contains
UserDetailService

User Information
Loads UserDetails

Granted Authorities

SpringSecurity Page 4

You might also like