Home > Java, Spring > Basic MVC project using Spring Security

Basic MVC project using Spring Security

Spring Security is a framework that provides authentication and access control on a project. We will set up a project with some basic authentication using Spring Security. In one of my later blogs we will see how to use a user service and get the credential information from a database.

CREATING A BASIC SPRING MVC PROJECT
Get SpringSource tool suite from here. (For reference: I have used STS Version 2.9.2.RELEASE and Maven 3.0.3 for this project).
We will now create a basic Spring MVC project.
Select File>New>Spring Template Project and choose Spring MVC Project from the list. Click yes on the download prompt.
We will name the project as SpringSecurity and the package as com.wordpress.codesilo.

RUNNING THE TEMPLATE ON THE SERVER
Right Click on the created project, Select Run As>Run On Server. Click on “Manually Define a new Server” radio button and search for Tomcat (I have Tomcat already installed on my machine). Select the version of Tomcat server (7.0 in my case)you want to use and click next.
Select the Tomcat Installation Directory and the installed JRE/JDK. Once you click “Finish” the server should start and you should get a Hello World page with the current time on the workspace.

BASIC SPRING SECURITY
We will create a blank security-app-context.xml file under WEB-INF/spring/ and add the following configuration on the file

<beans:beans xmlns="http://www.springframework.org/schema/security"
 xmlns:beans="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans
 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
 http://www.springframework.org/schema/security
 http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<http use-expressions="true">
 <intercept-url pattern="/**" access="isAuthenticated()" />
 <http-basic/>
 </http>

<authentication-manager>
 <authentication-provider>
 <user-service>
 <user name="rod" password="koala" authorities="supervisor, teller, user" />
 <user name="dianne" password="emu" authorities="teller, user" />
 <user name="scott" password="wombat" authorities="user" />
 <user name="peter" password="opal" authorities="user" />
 </user-service>
 </authentication-provider>
 </authentication-manager>
</beans:beans>

Add the following to web.xml

<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Add the security-app-context.xml to the configLocation in web.xml

<context-param>
 <param-name>contextConfigLocation</param-name>
 <param-value>/WEB-INF/spring/root-context.xml
 /WEB-INF/spring/security-app-context.xml
 </param-value>
 </context-param>

Add the following on the dependencies on pom.xml

<dependency>
 <groupId>org.springframework.security</groupId>
 <artifactId>spring-security-config</artifactId>
 <version>${org.springframework-version}</version>
 </dependency>
 <dependency>
 <groupId>org.springframework.security</groupId>
 <artifactId>spring-security-core</artifactId>
 <version>${org.springframework-version}</version>
 </dependency>
 <dependency>
 <groupId>org.springframework.security</groupId>
 <artifactId>spring-security-web</artifactId>
 <version>${org.springframework-version}</version>
 </dependency>

Now when we bring up the server, the following prompt will be presented. If we use one of the username, password combinations in the security context file, we should be able to get to the Hello World page

FORM-BASED LOGIN
We will now change the authentication to use a default form provided by Spring. Change the following section in security-app-context.xml

<http use-expressions="true">
 <intercept-url pattern="/**" access="isAuthenticated()" />
 <http-basic/>
</http>

to

<http use-expressions="true">
 <intercept-url pattern="/**" access="isAuthenticated()" />
 <form-login/>
 <logout/>
</http>

If we go to the application url now (http://localhost:8080/SpringSecurity/) we will be redirected to a login page as follows..

We can get to the Hello World page by providing the credentials.
To logout we use the following url http://localhost:8080/SpringSecurity/j_spring_security_logout

CUSTOMIZING LOGIN FORM
Change the <form-login/> in security-app-context.xml to

<form-login
 login-page="/login.jsp"
 always-use-default-target="true"/>

We will now add login.jsp to the webapp folder in the project. The following is the content of login.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<html>
<head>
<title>Login</title>
</head>
<body>
 <form action="j_spring_security_check" method="POST">
 <label for="username">User Name:</label>
 <input id="username" name="j_username" type="text" />
 <label for="password">Password:</label>
 <input id="password" name="j_password" type="password" />
 <input type="submit" value="Log In" />
 </form>
</body>
</html>

We will also change the security-app-context.xml to allow access to the login.jsp page

<intercept-url pattern="/login.jsp" access="permitAll" />

If this is not done, we will get too many redirects error

Also, add the logout url on the home.jsp page at the end of the page

<a href="<c:url value="/j_spring_security_logout"/>">Logout</a>

Now, once we go to our application, we will see the custom login page that we created. Also, we will be able to logout by using the logout url provided on the home page.

ADDING SECURITY EXCEPTION HANDLING
Add the following just above the form on login.jsp

<c:if test="${not empty param.login_error}">
 <font color="#ff0000">
 Login unsuccessful.<br/>
 <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.
 </font>
</c:if>

and change the form-login element to the following..

<form-login
 login-page="/login.jsp"
 authentication-failure-url="/login.jsp?login_error=1"
 always-use-default-target="true"
 />

If we bring up the server and provide incorrect credentials, we will see the following error

References:
SpringSource Documentation

Technorati Tags: , , , , ,

Advertisements
Categories: Java, Spring
  1. Nen
    July 20, 2012 at 10:42 am

    Thanks! It works for me !

  2. NPE
    September 24, 2013 at 2:27 pm

    Cant get it to work. Is there a src dump for me to compare against ?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: