Spring Security
Sunday, August 27, 2017 11:32 AM
Spring Security provides comprehensive security services for J2EE-based enterprise software application. It is powerful , flexible and
pluggable.
Spring supports majorly two operations.
1. Authentication
2. Authorization
Authentication (Prove who you say you are!) - process of establishing a principal.
Authorization (We know who you are but are you allowed to access what you want) - process of deciding whether a principal is allowed
to perform an action (admin,leader,member)
DelegatingFilterProxy:
Step 1: Register springSecurityFilterChain with war file
-> DelegatingFilterProxy is an implementaion of the javax.servlet.Filter which is provided by Spring Framework.
-> Once you define DelegatingFilterProxy in web.xml, you can declare the actual beans that do the filtering in actual spring
application.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.spring.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/</url-pattern>
</filter-mapping>
Step 2: Add Spring Security File in war file.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http auto-config="true" >
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/home" access="permitAll" />
<intercept-url pattern="/admin**" access="hasRole('ADMIN')" />
<intercept-url pattern="/dba**" access="hasRole('ADMIN') and hasRole('DBA')" />
<form-login authentication-failure-url="/Access_Denied" />
</http>
<authentication-manager >
<authentication-provider>
SpringSecurity Page 1
<authentication-provider>
<user-service>
<user name="bill" password="abc123" authorities="ROLE_USER" />
<user name="admin" password="root123" authorities="ROLE_ADMIN" />
<user name="dba" password="root123" authorities="ROLE_ADMIN,ROLE_DBA" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Step 3 : Add the following spring security libraries to project build path.
1. spring-security-config-4.X.RELEASE.jar
2. spring-security-core-4.X.RELEASE.jar
3. spring-security-web-4.X.RELEASE.jar
Graphical Representation of Filter Proxy:
Spring Security Architecture:
Filter
SpringSecurity Page 2
Development steps:
1. Configure DelegatingFilterProxy in web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-clas>org.sf.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-patter>/</url-patter>
</filter-mapping>
Annotation approach
public class SecurityWebAppInit extends AbstractSecurityWebApplicationInitializer
{
}
2. Develop spring security file
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http auto-config="true" >
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/home" access="permitAll" />
<intercept-url pattern="/admin**" access="hasRole('ADMIN')" />
<intercept-url pattern="/dba**" access="hasRole('ADMIN') and hasRole('DBA')" />
<form-login authentication-failure-url="/Access_Denied" />
</http>
<authentication-manager >
<authentication-provider>
<user-service>
<user name="bill" password="abc123" authorities="ROLE_USER" />
<user name="admin" password="root123" authorities="ROLE_ADMIN" />
<user name="dba" password="root123" authorities="ROLE_ADMIN,ROLE_DBA" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Annotation Approach :
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("abc").password("abc").roles("USER");
auth.inMemoryAuthentication().withUser("dba").password("dba").roles("DBA");
auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");
}
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/", "/home").permitAll().antMatchers("/dba**").access("hasRole('DBA)")
.antMatchers("/admin**").access("hasRole('ADMIN')");
}
}
Step 3: Configure DispatcherServlet in web.xml
Step 4: Develop Spring Configuration file to define Controller, ViewResolvers.
SpringSecurity Page 3
Filter
Filter
Filter
Dispatcher Servlet Authentication Security
Manager Context
Controller Controller Controller
Delegates
Contains
UserDetailService
User Information
Loads UserDetails
Granted Authorities
SpringSecurity Page 4