Spring Security Hello World Example--reference
In this tutorial, we will see how we can use Spring security to protect specific resources. This Hello World tutorial will give you a quick start to Spring Security.We will use Spring’s Java Config ( Annotation based approach) to configure the properties instead of XML configuration.
Technologies used
- Spring 4.0.3 Release
- Spring Security 3.2.3 Release
- Tomcat 7
- Java 1.6
We are going to develop a simple web application using Spring MVC. All the configurations will be done using Java Classes and there won’t be any XML configurations. Let us first start with the project structure.
Project Structure
Maven Dependencies
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <modelVersion>4.0.0</modelVersion> <groupId>com.javahash.springsecurity</groupId> <artifactId>springsecurity</artifactId> <packaging>war</packaging> <version>0.0.1-SNAPSHOT</version> <name>springsecurity Maven Webapp</name><properties> <jdk.version>1.6</jdk.version> <spring.version>4.0.3.RELEASE</spring.version> <spring.security.version>3.2.3.RELEASE</spring.security.version> <jstl.version>1.2</jstl.version> </properties> <dependencies> <dependency> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> <version>2.5</version> </dependency> <!-- Spring 4 dependencies --> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>${spring.version}</version> </dependency> <!-- Spring Security --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.security.version}</version> </dependency> <!-- jstl for jsp page --> <dependency> <groupId>jstl</groupId> <artifactId>jstl</artifactId> <version>${jstl.version}</version> </dependency> </dependencies><build> <finalName>springsecurity</finalName> </build></project> |
Controller
The controller will be having an unprotected URL and two URL path’s that are restricted to admin and super admin roles.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
package com.javahash.controller;import org.springframework.stereotype.Controller;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.RequestMethod;import org.springframework.web.servlet.ModelAndView;@Controllerpublic class AppController {@RequestMapping(value = { "/", "/helloworld**" }, method = RequestMethod.GET) public ModelAndView welcomePage() { ModelAndView model = new ModelAndView(); model.addObject("title", "Spring Security 3.2.3 Hello World Application"); model.addObject("message", "Welcome Page !"); model.setViewName("helloworld"); return model; } @RequestMapping(value = "/protected**", method = RequestMethod.GET) public ModelAndView protectedPage() { ModelAndView model = new ModelAndView(); model.addObject("title", "Spring Security 3.2.3 Hello World"); model.addObject("message", "This is protected page - Only for Administrators !"); model.setViewName("protected"); return model; } @RequestMapping(value = "/confidential**", method = RequestMethod.GET) public ModelAndView superAdminPage() { ModelAndView model = new ModelAndView(); model.addObject("title", "Spring Security 3.2.3 Hello World"); model.addObject("message", "This is confidential page - Need Super Admin Role !"); model.setViewName("protected"); return model; }} |
- /helloworld path is public access and there is no security constraint set on that.
- /protected is a restricted area and only user’s having admin role can access that
- /confidential is restricted and only user’s having superadmin role is able to access it
Inside each method , we create a Model ( ModelAndView instance) and return it. The view name is also set in the model. How the view name is mapped to a concrete view file ( in this case a JSP file) is the simple. We need to provide a Class having the configuration information. This is explained in the next section
Configuring the Spring MVC ( View + Security)
We need to tell Spring where to find view and how it is mapped. How do we handle security and the configuration for the same also needs to be set in Spring. All these can be accomplished using a Java Class annotated with @Configuration annotation
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
package com.javahash.config;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.ComponentScan;import org.springframework.context.annotation.Configuration;import org.springframework.context.annotation.Import;import org.springframework.web.servlet.config.annotation.EnableWebMvc;import org.springframework.web.servlet.view.InternalResourceViewResolver;import org.springframework.web.servlet.view.JstlView;@EnableWebMvc@Configuration@ComponentScan({ "com.javahash.*" })@Import({ AppSecurityConfig.class })public class ViewConfig {@Bean public InternalResourceViewResolver viewResolver() { InternalResourceViewResolver viewResolver = new InternalResourceViewResolver(); viewResolver.setViewClass(JstlView.class); viewResolver.setPrefix("/WEB-INF/views/"); viewResolver.setSuffix(".jsp"); return viewResolver; }} |
Above class does the following
- Declares this class as Configuration ( @Configuration)
- Instructs Spring to Scan for Components inside com.javahash.* package
- Maps a view name to /WEB-INF/views/ folder
- Sets the Suffix to be .jsp
- Imports another class that holds the security related configuration (@Import({ AppSecurityConfig.class }) )
Let us see how we configure the security part.
Security Configuration
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
package com.javahash.config;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.context.annotation.Configuration;import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;@Configuration@EnableWebSecuritypublic class AppSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("tom").password("123456").roles("USER"); auth.inMemoryAuthentication().withUser("bill").password("123456").roles("ADMIN"); auth.inMemoryAuthentication().withUser("james").password("123456").roles("SUPERADMIN"); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/protected/**").access("hasRole('ROLE_ADMIN')") .antMatchers("/confidential/**").access("hasRole('ROLE_SUPERADMIN')") .and().formLogin(); }} |
The most important thing to note is that this class is annotated with
- @Configuration
- @EnableWebSecurity
and it extends WebSecurityConfigurerAdapter class. The @EnableWebSecurity annotation andWebSecurityConfigurerAdapter work together to provide web based security. Spring security is configured to enable HTTP Basic and Form based authentication. Spring Security will automatically render a login page and logout success page for you. The rest of the code is self explanatory. It just configures the URLs that are restricted to authorized roles and sets the roles for the users. In this example the users and their passwords are hard coded. You can change this to grab the information from database , if required.
We now have the security configuration in AppSecurityConfig.java and the MVC configuration in ViewConfig.java. We need to make sure that the root application context includes our Security configuration. For this, the practice is to create a class that extends AbstractAnnotationConfigDispatcherServletInitializer and override a few methods. What we require is to configure particular URL patterns to pass through our security layer. Traditional approach is to configure a servlet filter and in the filter we check for the security credentials. With the introduction of Servlet 3.x we are no longer required to declare the filter in web.xml and we can manage the entire configuration via Java classes. The AbstractAnnotationConfigDispatcherServletInitializer helps with this.
|
1
2
3
4
5
6
|
package com.javahash.config;import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;public class SecurityInit extends AbstractSecurityWebApplicationInitializer {} |
The above code is equivalent to
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class></filter><filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> <dispatcher>ERROR</dispatcher> <dispatcher>REQUEST</dispatcher></filter-mapping> |
We have now configured security and other MVC configuration. What is left is to configure the DispatcherSerlvet that is used to initialize the Spring MVC framework and map the URL patterns for Dispatcher Servlet. Tradional approach was to declare the DispatcherServlet in the web.xml and provide URL mappings for it. We can do away with web.xml configuration and instead use a Java Class to do this Job. This is our next step
Configuring the Dispatcher Servlet
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
package com.javahash.config;import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;public class MVCInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {@Override protected Class<?>[] getRootConfigClasses() { return new Class[] { ViewConfig.class }; } @Override protected Class<?>[] getServletConfigClasses() { return null; } @Override protected String[] getServletMappings() { return new String[] { "/" }; }} |
Here we have configured the servlet mapping as “/” and so all requests will be intercepted by the Spring Dispatcher Servlet.
Things to Note:
Our class extends AbstractAnnotationConfigDispatcherServletInitializer
getRootConfigClasses method returns our Configuration class ( ViewConfig.class)
The only activity left is to develop the views and test the application.
Developing the View (JSP)
The views are very simple – it just prints the message and the title returned in the model. We use JSTL in the views to print the data.
helloworld.jsp
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Hello World</title></head><body> <h1>Title : ${title}</h1> <h1>Message : ${message}</h1></body></html> |
protected.jsp
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
<%@ page isELIgnored="false" %><%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%><%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Protected page</title></head><body> <h1>Title : ${title}</h1> <h1>Message : ${message}</h1> <c:if test="${pageContext.request.userPrincipal.name != null}"> <h2>Welcome : ${pageContext.request.userPrincipal.name} | <a href="<c:url value="/logout" />" > Logout</a></h2> </c:if></body></html> |
Demonstration
http://localhost:8080/springsecurity-0.0.1-SNAPSHOT/helloworld/
No security for helloworld.
When you change the URL to http://localhost:8080/springsecurity-0.0.1-SNAPSHOT/protected/ Spring Security kicks in and redirect to /login, and a default login form is displayed. If username and password supplied is incorrect, error messages will be displayed, and Spring will redirect to the URL /login?error.
For unauthorized user, Spring will display the 403 access denied page
Recap – Configurations
- Declare the Security Configuration (AppSecurityConfig.java)
- Declare the View Configuration ( ViewConfig.java)
- Declare the Security Filter Configuration (SecurityInit.java)
- Declare the Spring Dispatcher Servlet Configuration (MVCInitializer.java)
Download Source Code
Download - Spring Security Source Code ( 7.37 KB)
reference from:http://javahash.com/spring-security-hello-world-example/
Spring Security Hello World Example--reference的更多相关文章
- Apache Shiro和Spring Security的详细对比
参考资料: 1)Apache Shiro Apache Shiro:http://shiro.apache.org/ 在Web项目中应用 Apache Shiro:http://www.ibm.com ...
- Spring MVC Integration,Spring Security
http://docs.spring.io/spring-security/site/docs/4.2.0.RELEASE/reference/htmlsingle/#authorize-reque ...
- spring security之httpSecurity使用示例
如果在HttpSecurity中配置需要authenticate(),则如果没有登陆,或没有相关权限,则会无法访问 2017-01-02 23:39:32.027 DEBUG 10396 --- [n ...
- REST Security with JWT using Java and Spring Security
Security Security is the enemy of convenience, and vice versa. This statement is true for any system ...
- SpringMVC 3.1集成Spring Security 3.1
这篇算是一个入门文章,昨天看见有网友提问,spring mvc集成spring security 的时候出错,揣测了一下问题木有解决.我就帮忙给搭建了一个集成框架他说可以,他告诉我这样的文章网上少.今 ...
- 【Spring】关于Boot应用中集成Spring Security你必须了解的那些事
Spring Security Spring Security是Spring社区的一个顶级项目,也是Spring Boot官方推荐使用的Security框架.除了常规的Authentication和A ...
- Cross Site Request Forgery (CSRF)--spring security -转
http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html 13. Cross ...
- Spring Boot整合Spring Security
Spring Boot对于该家族的框架支持良好,但是当中本人作为小白配置还是有一点点的小问题,这里分享一下.这个项目是使用之前发布的Spring Boot会员管理系统重新改装,将之前filter登录验 ...
- Spring Security 集成 CAS(基于HTTP协议版本)
Spring Security 集成 CAS(基于HTTP协议版本) 近段时间一直研究Spring Security 集成 CAS,网上资料相关资料也很多,不过大都是基于Https的安全认证;使用ht ...
- What is the best way to handle Invalid CSRF token found in the request when session times out in Spring security
18.5.1 Timeouts One issue is that the expected CSRF token is stored in the HttpSession, so as soon a ...
随机推荐
- 如何实现HashMap的同步
HashMap可以通过Map m = Collections.synchronizedMap(new HashMap())来达到同步的效果.具体而言,该方法会返回一个同步的Map,该Map封装了底层的 ...
- PHP TP 生成二维码
vendor('phpqrcode.phpqrcode'); $value = "http://www.baidu.com";//二维码内容 $errorCorrectionLev ...
- 【UI测试】--安全性
- js之function
function* function* 这种声明方式(function关键字后跟一个星号)会定义一个生成器函数 (generator function),它返回一个 Generator 对象. 你 ...
- Windows 8 Stroe Apps 控件
重新想象 Windows 8 Store Apps (3) - 控件之内容控件: ToolTip, Frame, AppBar, ContentControl, ContentPresenter; 容 ...
- Alpha 冲刺 (4/10)
队名 火箭少男100 组长博客 林燊大哥 作业博客 Alpha 冲鸭鸭鸭鸭! 成员冲刺阶段情况 林燊(组长) 过去两天完成了哪些任务 协调各成员之间的工作 协助前后端接口的开发 测试项目运行的服务器环 ...
- 20175316盛茂淞-Java第1周学习总结
20175316盛茂淞 2018-2019-2 <Java程序设计>第1周学习总结 教材学习内容总结 Java入门 1.Java简介(地位,特点) 2.安装JDK,设置系统环境 3.编译J ...
- 求一个数的n次幂
1.当这个数是2的多少次幂: 求(2^m)^n = 2^(m*n) = 1<<m*n; 2.快速幂(要考虑底数a,和m的正负) int quick_mod(int a,int m){ ...
- AOP 和 前置通知,后置通知
Spring 1.AOP:中文名称面向切面编程 2.英文名称:(Aspect Oriented Programming) 3.正常程序执行流程都是纵向执行流程 3.1 又叫面向切面编程,在原有纵向执行 ...
- 2018.10.27 洛谷P2915奶牛混合起来Mixed Up Cows(状压dp)
传送门 状压dp入门题. 按照题意建一个图. 要求的就是合法的链的总数. 直接f[i][j]f[i][j]f[i][j]表示当前状态为jjj,下一位要跟iii连起来的方案数. 然后从没被选并且跟iii ...