Basic MVC project using Spring Security
Spring Security is a framework that provides authentication and access control on a project. We will set up a project with some basic authentication using Spring Security. In one of my later blogs we will see how to use a user service and get the credential information from a database.
CREATING A BASIC SPRING MVC PROJECT
Get SpringSource tool suite from here. (For reference: I have used STS Version 2.9.2.RELEASE and Maven 3.0.3 for this project).
We will now create a basic Spring MVC project.
Select File>New>Spring Template Project and choose Spring MVC Project from the list. Click yes on the download prompt.
We will name the project as SpringSecurity and the package as com.wordpress.codesilo.
RUNNING THE TEMPLATE ON THE SERVER
Right Click on the created project, Select Run As>Run On Server. Click on “Manually Define a new Server” radio button and search for Tomcat (I have Tomcat already installed on my machine). Select the version of Tomcat server (7.0 in my case)you want to use and click next.
Select the Tomcat Installation Directory and the installed JRE/JDK. Once you click “Finish” the server should start and you should get a Hello World page with the current time on the workspace.
BASIC SPRING SECURITY
We will create a blank security-app-context.xml file under WEB-INF/spring/ and add the following configuration on the file
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <http use-expressions="true"> <intercept-url pattern="/**" access="isAuthenticated()" /> <http-basic/> </http> <authentication-manager> <authentication-provider> <user-service> <user name="rod" password="koala" authorities="supervisor, teller, user" /> <user name="dianne" password="emu" authorities="teller, user" /> <user name="scott" password="wombat" authorities="user" /> <user name="peter" password="opal" authorities="user" /> </user-service> </authentication-provider> </authentication-manager> </beans:beans>
Add the following to web.xml
<listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Add the security-app-context.xml to the configLocation in web.xml
<context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/spring/root-context.xml /WEB-INF/spring/security-app-context.xml </param-value> </context-param>
Add the following on the dependencies on pom.xml
<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${org.springframework-version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${org.springframework-version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${org.springframework-version}</version> </dependency>
Now when we bring up the server, the following prompt will be presented. If we use one of the username, password combinations in the security context file, we should be able to get to the Hello World page
FORM-BASED LOGIN
We will now change the authentication to use a default form provided by Spring. Change the following section in security-app-context.xml
<http use-expressions="true"> <intercept-url pattern="/**" access="isAuthenticated()" /> <http-basic/> </http>
to
<http use-expressions="true"> <intercept-url pattern="/**" access="isAuthenticated()" /> <form-login/> <logout/> </http>
If we go to the application url now (http://localhost:8080/SpringSecurity/) we will be redirected to a login page as follows..
We can get to the Hello World page by providing the credentials.
To logout we use the following url http://localhost:8080/SpringSecurity/j_spring_security_logout
CUSTOMIZING LOGIN FORM
Change the <form-login/> in security-app-context.xml to
<form-login login-page="/login.jsp" always-use-default-target="true"/>
We will now add login.jsp to the webapp folder in the project. The following is the content of login.jsp
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> <%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %> <html> <head> <title>Login</title> </head> <body> <form action="j_spring_security_check" method="POST"> <label for="username">User Name:</label> <input id="username" name="j_username" type="text" /> <label for="password">Password:</label> <input id="password" name="j_password" type="password" /> <input type="submit" value="Log In" /> </form> </body> </html>
We will also change the security-app-context.xml to allow access to the login.jsp page
<intercept-url pattern="/login.jsp" access="permitAll" />
If this is not done, we will get too many redirects error
Also, add the logout url on the home.jsp page at the end of the page
<a href="<c:url value="/j_spring_security_logout"/>">Logout</a>
Now, once we go to our application, we will see the custom login page that we created. Also, we will be able to logout by using the logout url provided on the home page.
ADDING SECURITY EXCEPTION HANDLING
Add the following just above the form on login.jsp
<c:if test="${not empty param.login_error}"> <font color="#ff0000"> Login unsuccessful.<br/> <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>. </font> </c:if>
and change the form-login element to the following..
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" always-use-default-target="true" />
If we bring up the server and provide incorrect credentials, we will see the following error
References:
SpringSource Documentation
Technorati Tags: SpringSecurity, Spring, Security, STS, redirect loop, too many redirects
Thanks! It works for me !
Cant get it to work. Is there a src dump for me to compare against ?