Share |

Spring Security

Home Java Home Spring Framework Index

Security is a moving target and requires a comprehensive solution to deal with it. Also security needs to be dealt at many layers. Security at operating system level and securing the traffic while in wire are some of them. As we are concerned with Application level security, we will look fundamentally into the way of security at application level.

Spring security (formerly known as acegi) has been a popular choice in Java based web applications. Spring security started as a small sideway project independent of mainline spring development. In 2007, it was formerly included into the main spring development and rechristened as Spring security.

Before we move further, let’s understand the concept of principal, authentication and authorization.

Principal represents the identity which can be a user or device or some other system.
Authentication is the process of establishing the identity, confirming that the Principal is actually the one what it claims to be.
Authorization is the process of establishing whether the principal is allowed to do certain things.

For example in web applications the Principal is represented by the username or login. For the authentication process to happen, the principal has to provide a password which establishes the claim of the Principal. Authorization will further decide what Principal can do with application. If Principal is an account holder in a bank, she will be allowed to access only her account details at banking site.

Spring security is built on top of spring framework and uses the concept of filters in Servlet engine. Filters are like servlet however they come into action before servlet and can decide whether the request needs to be forwarded to a servlet or not. Spring security registers filters with the application.

Let’s build a web application using spring security. Download the following jars from web from download area of http://www.springframework.org

• spring-framework-*-with-dependencies.zip
• spring-security-*.zip

represents the version number which might change as per your distribution. The following example is run with spring framework version no. 2.5.1 and spring security version no. 2.0.4.

Make a web application. You can use your favourite IDE for doing that. Any Java based web application has the following minimal structure:

Copy the following jars from Spring framework and put it in WEB-INF/lib folder

dist/spring.jar
lib/log4j/log4j*.jar
lib/jakarta-commons/commons-logging.jar
lib/jakarta-commons/commons-codec.jar

And copy the spring security jar from spring security download
- dist/spring-security-core-*.jar
Now open the web.xml and copy the following lines:


<listener>
   <listener-class>org.springframework.web.context.ContextLoaderListener
   </listener-class>
</listener>

<context-param>
   <param-name>contextConfigLocation</param-name>
   <param-value>WEB-INF/spring-security.xml</param-value>
</context-param>

<filter>
   <filter-name>springSecurityFilterChain</filter-name>
   <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
   <filter-name>springSecurityFilterChain</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>

<welcome-file-list>
   <welcome-file>index.jsp[/welcome-file>
</welcome-file-list>

The listener ContextLoaderListener is invoked by the web container whenever the application is loaded. This starts the Spring IOC container. Spring container reads the spring-security.xml (which we will write soon) to read the configuration details. Also a filter is registered, which url-pattern dictates that all the request to the container needs to be trapped by the filter. The filter in turn delegates the request details to the Spring managed beans. As an application developer we need not worry about that mechanism as it happens below the wraps. What we need to do is to write the spring-security.xml and place it in WEB-INF where we configure that how the authentication is going to happen. The minimal spring-secuirty.xml looks like


<beans xmlns="http://www.springframework.org/schema/beans"
        security="http://www.springframework.org/schema/security"
        xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemalocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

<security:http auto-config='true'>
	<security:intercept-url pattern="/**" access="ROLE_USER" />
</security:http>

<security:authentication-provider>
	<security:user-service>
		<security:user name="abc" password="yyy"
			authorities="ROLE_USER, ROLE_ADMIN" />
		<security:user name="def" password="zzz"
				authorities="ROLE_USER" />
	</security:user-service>
</security:authentication-provider>

The http element plays a major role in enabling the authentication and authorization mechanism. If you come from older acegi school you will be surprised with the reduced amount of configuration. The spring security has adopted the default over configuration paradigm. The common settings are automatically configured which is dictated by attribute auto-config. The intercept-url pattern tells that all the request can only be accessed by ROLE_USER. Also we have give a list of user in authentication-provider element. This is similar to realm in conventional way of handling security. Here the user details including password is provided in this XML itself. However it’s not difficult to point it to a database or a LDAP server to retrieve the user data.

Write an index.jsp which is our welcome file and the starting point for application. Sample index.jsp:

Reached here

Now deploy the application in your web container and hit the application. A page asking for username and password will appear which will allow you to go further only if you give the username and password as in spring-security.xml. A remember me service is also automatically configured.

The default login page is automatically generated by the spring. If you want to put your customized login page you need to do the following in intercept-url element.


<security:http auto-config='true'>
   <security:intercept-url pattern="/login.jsp*" filters="none"/>
   <security:intercept-url pattern="/**" access="ROLE_USER" />
   <security:form-login login-page='/login.jsp'/>
</security:http>

Now the form-login mode will look for our login page. We have excluded login.jsp from intercept-url by using filters none. If we do not do this, we will not be able to even access our login.jsp page.

Once the user is authentication, Spring security putts an Authentication object in the session of the User. When the next request comes from the same user, Spring checks that if in the seession the authentication object is residing. If authentication object is there, Spring allows the request to go further.

Home Java Home Spring Framework Index

Add Comment

Post new comment

Wiki Help
Plugin Help

Wiki Syntax

For more information, please see Wiki Page Editor and Wiki Syntax

Wiki Syntax
Bold text __text__
Italic text 2 single quotes ('). ''text''
Underlined text ===text===
Colored text ~~#FFEE33:text~~ or ~~yellow:text~~. Will display using the indicated HTML color or color name. Color name can contain two colors separated by a comma. In this case, the first color would be the foreground and the second one the background.
Deleted text 2 dashes "-". --text--
Headings !heading1, !!heading2, !!!heading3
Show/Hide !+, !!- show/hide heading section. + (shown) or - (hidden) by default.
Autonumbered Headings !#, !!#, !+#, !-# ...
Table of contents {toc}, {maketoc} prints out a table of contents for the current page based on structures (toc) or ! headings (maketoc)
Horizontal rule ----
Text box ^Box content^
Centered text ::text::
Dynamic variables %Name% Inserts an editable variable
External links use square brackets for an external link: [URL], [URL\|link_description],[URL\|link_description\|relation] or [URL\|description\|relation\|nocache] (that last prevents the local Wiki from caching the linked page; relation can be used to insert rel attribute for the link - useful e.g. for shadowbox). For an external Wiki, use ExternalWikiName:PageName or ((External Wiki Name: Page Name))
Square Brackets Use [[foo] to show [foo].
Wiki References ((page)) or ((page\|description)) for wiki references
Lists * for bullet lists, # for numbered lists, ;Word:definition for definiton lists
Indentation +, ++ Creates an indentation for each plus (useful in list to continue at the same level)
Tables \|\|row1-col1\|row1-col2\|row1-col3 row2-col1\|row2-col2\|row2-col3\|\|
Title bar -=Title=-
Monospace font -+Code sample+-
Line break %%% (very useful especially in tables)
Multi-page pages Use ...page... to separate pages
Non parsed sections ~np~ data ~/np~ Prevents wiki parsing of the enclosed data.
Preformated sections ~pp~ data ~/pp~ Displays preformated text/code; no Wiki processing is done inside these sections (as with np), and the spacing is fixed (no word wrapping is done). ~pre~ data ~/pre~ also displayes preformatted text with fixed spacing, but wiki processing still occurs on the text.
Comments ~tc~ Tiki Comment ~/tc~ makes a Tiki comment. It will be completely removed from the display, but saved in the file for future reference. ~hc~ HTML Comment ~/hc~ makes an HTML comment. It will be inserted as a comment in the output HTML; these are not normally displayed in browsers, but can be seen using "View Source" or similar.
Direction {r2l}, {l2r}, {rm}, {lm}Insert resp. right-to-left and left-to-right text direction DIV (up to end of text) and markers for langages as arabic or hebrew.
Special characters ~hs~ hard space, ~c~ ©, ~amp~ &, ~lt~ <, ~gt~ >, ~ldq~ “, ~rdq~ ”, ~lsq~ ‘, ~rsq~ ’, ~--~ —, ~bs~ \, numeric between ~ for html numeric characters entity

Because the Wiki paragraph formatting feature is off, each line will be presented as you write it. This means that if you want paragraphs to be wrapped properly, a paragraph should be all together on one line.

Plugins

Note that plugin arguments can be enclosed with double quotes ("); this allows them to contain , or = or >.
More help here

Filter:

Description
Attachment Displays an attachment or a list of them
Box Insert theme-styled box on wiki page
Center Centers the plugin content in the wiki page
Code Displays a snippet of code
Div Insert a division block, span, blockquote or other text formatting on wiki page.
Definition List Creates a definition list
Fade Displays a label. On click, the block of content will fade in and fade out.
Fancy List Creates a fancy-looking list
Fancy Table Displays the data using the Tikiwiki odd/even table style
File Displays a link to an attachment to a wiki page and can display an image attachment.
Files Displays a list of files from the File Gallery
Flash video Displays a Flash (.swf) file in the wiki page
googlemap Displays a Google map
Group Display wiki text if user is in one of listed groups
Group List List of groups including a group
Group Stats Displays some stat about group belonging
HTML Include literal HTML in a Wiki page
Image Display images
Include Include a page's content.
Invite Invite an email in groups.
Kaltura video Displays a KALTURA video on the wiki page
Language Displays the text only if the language matchs
Mail Allow to send mail to groups or user or email directly
Mediaplayer Simple mp3 or flv Player
Insert Module Displays a module inline in a wiki page. More parameters can be added, not supported by UI.
Mouseover Create a mouseover feature on some text
Poll Displays the output of a poll, fields are indicated with numeric ids.
Quote Quote text by surrounding the text with a box, like the [QUOTE] BBCode
Remarks Box Displays a comment, tip, note or warning box
RSS Feed Inserts an RSS feed output.
Sort Sorts the plugin content in the wiki page
Split Split a page into rows and columns
Subscript Displays text in subscript.
Superscript Displays text in superscript (exponent).
Tabs Provides tabs built using the smarty tabset block.
Thumbnail Displays the thumbnail for an image
Thumbnail Displays the thumbnail for an image
Tracker Comments Displays the number of tracker comments
Translated Links to a translated content
Youtube Display youtube video in a wiki page

Title (required)
Toolbars
Comment (required)
Anti-Bot verification code:
Enter the code you see above:
Enter your name (optional)
Post new comment

Spring Security

Post new comment

Wiki Syntax

Plugins

Sidebar

Last wiki comments

Sidebar

Random Pages

Last blog post comments