Spring Security Quickstart

Security sounds like a big word. That’s because it is. Security is one of the most complex areas in web application development, but we are just going to cover the basics here. Tip of the iceberg type stuff. However, understanding the basics is fundamental to moving forward and you would be surprised by just how easy it is to get started.

Most applications have some sort of login page and authentication system. So let’s see how to set that up fast. We will start by manually populating the database with users and their roles. Then we will configure a Spring security context by creating a new xml configuration file, and finally we will add some filters to the web.xml file. Sounds easy? It is.

1. Add Spring Security dependencies to your pom.xml

<dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>3.0.5.RELEASE</version>
</dependency>
<dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>3.0.5.RELEASE</version>
</dependency>
<dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-taglibs</artifactId>
        <version>3.0.5.RELEASE</version>
</dependency>

2. Manually populate the database with users and roles

Before setting up an authentication system, we need to create some users and roles:
username/password
jane/fatcat (roles: user, admin)
billy/bigcow (roles: user)
alice/wonderland (roles: user)

Start the HSQLDB Database Manager and enter the following:
(in case you forgot how to start the DB manager, refer to HSQLDB database set up in 60 seconds)

SET IGNORECASE TRUE;

CREATE TABLE users (
username VARCHAR(50) NOT NULL PRIMARY KEY,
password VARCHAR(50) NOT NULL,
enabled BIT NOT NULL
);

CREATE TABLE authorities (
username VARCHAR(50) NOT NULL,
authority VARCHAR(50) NOT NULL
);
CREATE UNIQUE INDEX ix_auth_username ON authorities (username, authority);

ALTER TABLE authorities ADD CONSTRAINT fk_authorities_users foreign key (username) REFERENCES users(username);

INSERT INTO users VALUES (‘jane’, ‘fatcat’, true);
INSERT INTO users VALUES (‘billy’, ‘bigcow’, true);
INSERT INTO users VALUES (‘alice’, ‘wonderland’, true);

INSERT INTO authorities VALUES (‘jane’, ‘ROLE_USER’);
INSERT INTO authorities VALUES (‘jane’, ‘ROLE_ADMIN’);
INSERT INTO authorities VALUES (‘billy’, ‘ROLE_USER’);
INSERT INTO authorities VALUES (‘alice’, ‘ROLE_USER’);

3. Create a new file in WEB-INF called security-context.xml

We need to add a configuration file to do a few things. First, we need to enable the use of spring security annotations. We also need to intercept all urls and check the role of the user logged in. If the user logged in has role “user” then the requested page will be displayed. And finally, we need to have our new authentication provider access the dataSource that we have already configured.

WEB-INF/security-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans
	xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       	xmlns:security="http://www.springframework.org/schema/security"
       	xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.0.xsd">
 
        <security:global-method-security secured-annotations="enabled" /> 
 
	<security:http auto-config='true'>
	 	<security:intercept-url pattern="/**" access="ROLE_USER" />
	</security:http>
 
	<security:authentication-manager>
		<security:authentication-provider>
			<security:jdbc-user-service data-source-ref="dataSource"/>
		</security:authentication-provider>
	</security:authentication-manager>
 
</beans>

4. Import security-context.xml from applicationContext.xml

Add the following line of code to the existing applicationContext.xml file so that it will import the security context:

WEB-INF/applicationContext.xml
<import resource="security-context.xml" />

5. Add security code to web.xml

Last step is to add the security filter and filter mapping to web.xml.

WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
 
	<servlet>
		<servlet-name>greeter</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>
 
	<servlet-mapping>
		<servlet-name>greeter</servlet-name>
		<url-pattern>/</url-pattern>
	</servlet-mapping>
 
	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener> 
 
 	<!-- Enables Spring Security -->    
        <filter>
  		<filter-name>springSecurityFilterChain</filter-name>
  		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
 
	<filter-mapping>
  		<filter-name>springSecurityFilterChain</filter-name>
  		<url-pattern>/*</url-pattern>
	</filter-mapping>
        <!--  end Spring Security -->
 
</web-app>

6. Redeploy the application and that’s it!

Now when you go to the application home page at http://localhost:8080/springgreetings/ you should see a login page. Where did that come from? We never created a login jsp page. But spring creates one for you if you haven’t created one. That is cool.

Here is the source code.


0 Comments

Post a Comment

(required):