Spring Security: Securing Methods Using @Secured Annotation

Concept Overview

Spring provides a way to implement method level security. Only users authenticated with particular roles may be allowed to access a method. There are four ways to implement method level security.

  1. Annotate method using @Secured
  2. Annotate method using JSR-250 @RolesAllowed
  3. Use Spring’s Pre and Post invocation Annotations
  4. Match method using Pointcuts

In this tutorial we look at Annotating methods using @Secured tag. The first step is to enable the annotation using

The example below explains the rest.


We demonstrate method level annotation using a simple login application. The diagram below explains the application.


Required Libraries
  • aopalliance-1.0.jar
  • aspectjweaver-1.6.10.jar
  • cglib.jar
  • commons-logging-1.1.1.jar
  • embeddedwebserver.jar
  • jstl-1.2.jar
  • org.springframework.web.servlet.jar
  • servlet-api-2.5.jar
  • spring-aop-3.0.7.RELEASE.jar
  • spring-asm-3.0.7.RELEASE.jar
  • spring-beans-3.0.7.RELEASE.jar
  • spring-context-3.0.7.RELEASE.jar
  • spring-core-3.0.7.RELEASE.jar
  • spring-expression-3.0.7.RELEASE.jar
  • spring-jdbc-3.0.7.RELEASE.jar
  • spring-security-config-3.1.4.RELEASE.jar
  • spring-security-core-3.1.4.RELEASE.jar
  • spring-security-taglibs-3.1.4.RELEASE.jar
  • spring-security-web-3.1.4.RELEASE.jar
  • spring-tx-3.0.7.RELEASE.jar
  • spring-web-3.0.7.RELEASE.jar
  • springsecurityusingxml.jar

Code Package Structure

Interaction Flow


  1. User accesses a URL on a web application
  2. The web application refers to web.xml
  3. The web.xml matches the URL pattern
  4. The control is redirected to DispatcherServlet in Spring framework
  5. Spring framework finds that the all URLs are secured. It also finds a custom login page is configured and forwards the request to the LoginController which is a Spring MVC Controller
  6. The LoginController redirects to the Custom Login Page
  7. The user enters his login name and password and submits the custom login form
  8. Spring performs authentication and authorization of user’s credentials against the entires in Spring Configuration file and redirects to LoginController
  9. LoginController displays the originally accessed URL upon successfull authentication
  10. User accesses the ‘Admin Page’ link
  11. LoginController ensures whether the logged in user has ‘ROLE_ADMIN’ authorization @Secured method level annotation and then displays the ‘Admin Page’



Source Code

Create the LoginController class as shown below. This is Spring MVC Controller class. Please see Related Trail
Spring MVC Basics
for more details.

Map the request
/main
to
printWelcome()
method and redirect to main_page.jsp after setting ‘username’ attribute with the logged in user’s name. (see lines 14-21 below).

Map the request
/login
to
login()
method and redirect to login_page.jsp (see lines 23-28 below).

Map the request
/loginError
to
loginError()
method and redirect to login_page.jsp after setting the ‘error’ attribute to ‘true’. (see lines 30-35 below).

Map the request
/common
to
common()
method and redirect to common_page.jsp (see lines 37-42 below).

Note the
@Secured
annotation which demonstrates the method level security feature of Spring. It is applied for roles ‘ROLE_REGULAR_USER’ & ‘ROLE_ADMIN’ (see line 36 below).

Map the request
/admin
to
admin()
method and redirect to admin_page.jsp (see lines 44-49 below).

Note the
@Secured
annotation which demonstrates the method level security feature of Spring. It is applied for role ‘ROLE_ADMIN’ (see line 43 below).

Map the request
/logout
to
logout()
method and redirect to logout_page.jsp (see lines 51-56 below).






Create the custom login page JSP (as shown below) that is used in Spring Security .

The important aspects to note in this JSP are:

  • The user name should be stored in a parameter named j_password (see line 23 below)
  • The password name should be stored in a parameter named j_password (see line 28 below)
  • This form should be submitted to the URL j_spring_security_check
  • Login error is handled by checking for attribute named ‘error’ (see lines 9-15 below)

Create the main page JSP (as shown below).

It contains the following three links:

  1. /admin: To access the admin page (accessible only for ROLE_ADMIN
  2. /common: To access the common page (accessible only for ROLE_REGULAR_USER and ROLE_ADMIN)
  3. /logout: For logout

Create the Admin Page as shown below.



Create the Common Page as shown below.




Create the web.xml file as shown below.

Register Spring’s DispatcherServlet used to register handlers for processing the web request (see lines 29-38 below).

Define filter-mapping and filter for DelegatingFilterProxy (see lines 15-23 below). This filter shall delegate the call to a class that implements
javax.servlet.Filter
and is registered as Spring bean.

Note: In this example we do not have to specifically create a class that implements
javax.servlet.Filter
. This is automatically available to us when we configure our Spring configuration file using
security:http
in springmvcdispatcher-servlet.xml file described later .

Also configure that ContextLoaderListener (see lines 25-27 below).

Finally provide the location of Spring’s configuration file in web.xml (see lines 10-13 below).



Allow annotation based Spring MVC controller declaration by using
context:component-scan
tag (see line 15 below).

Enable method level security by declaring
security:global-method-security
tag (see line 17 below).

This demonstrates the Spring security declaration required for method level security.

Configure Spring security using
security:http
tag (see lines 19-23 below).

Note that when URL fragment
/main
is accessed then security interceptor will be invoked (see line 20 below) and can be accessed by a user having ‘ROLE_ADMIN’ or ‘ROLE_REGULAR_USER’ authorization.

Also note that custom login page is mentioned using
login-page
attribute (see line 21 below). The error page to be displayed is also mentioned using
authentication-failure-url
attribute (see line 22 below).

The URLs
/main
,
/login
and
/loginError
were mapped in LoginController
(described earlier)

Specify the authentication and authorization credentials for valid users (see lines 25-32 below). Note in particular the
<security:user>
tag using which the name, password and authorization role for users is specified (see lines 28-29 below).

Configure Spring such that the prefix
/views
and the suffix
.jsp
should be added to the name of the view JSP (see lines 36-43 below) as specified in return statements in all methods of LoginController class
(described earlier)

This demonstrates the spring configuration required for enabling method level security using
@Secured
annotation.




Running Sample Program

This sample program has been packaged as a jar installer which will copy the source code (along with all necessary dependencies)on your machine and automatically run the program for you as shown in the steps below. As this sample program contains Java Server Pages (JSPs), you will need Java Development Kit (JDK preferably 1.5 or higher) on your machine so that the JSPs can be complied locally. Note that no other setup is required on your machine! Also please ensure that the port 8080 is not being used by any other program on your machine.

Download And Automatically Run Sample Program
  • Save the springsecuritymethodlevel-installer.jar on your machine
  • Execute/Run the jar using Java Runtime Environment


  • (Alternatively you can go the folder containing the springsecuritymethodlevel-installer.jar and execute the jar using
    java -jar springsecuritymethodlevel-installer.jar
    command)

  • You will see a wizard as shown below. Enter the location of Java Development Kit (JDK) and Click ‘Next’ button.
  • You will see a wizard page as shown below
  • Enter the location of the directory where you want the program to install and run (say, C:\Temp)
  • The installer will copy the program on your machine and automatically start the inbuilt webserver on your machine as shown below.
  • Go to the URL http://localhost:8080/springsecuritymethodlevel/main. The custom login page will be displayed as shown below
  • Enter credentials with username ‘beta’ and password ‘pass2’ as shown below.
    Note that this user has authorization ‘ROLE_REGULAR_USER’ as defined in springsecurity-servlet.xml (described earlier)
  • Click on Submit button. The main page shall be displayed as shown below.
  • Click on ‘Admin Page’ link. An ‘Access is denied’ message is displayed as shown below.
    This is because the user ‘beta’ does not have the authorization of ROLE_ADMIN. See springsecurity-servlet.xml (described earlier) for more details.
  • Click on the back button of the browser. The main page shall be displayed as shown below.
  • Click on ‘Regular User Page’ link. The user will be taken to the common page as shown below.
  • Click on the back button of the browser. The main page shall be displayed as shown below.
  • Click on ‘logout’ link. The login page will be displayed as shown below
  • Enter credentials with username ‘alpha’ and password ‘pass1’ as shown below.
    Note that this user has authorization ‘ROLE_REGULAR_USER’ as defined in springsecurity-servlet.xml (described earlier)
  • Click on Submit button. The main page shall be displayed as shown below.
  • Click on ‘Admin Page’ link. The admin page will be displayed as shown below.
    This is because the user ‘alpha’ has the authorization of ROLE_ADMIN. See springsecurity-servlet.xml (described earlier) for more details.
  • Click on ‘Regular User Page’ link. The user will be taken to the common page as shown below.
    This is because the user ‘alpha’ has the authorization of ROLE_REGULAR_USER. See springsecurity-servlet.xml (described earlier) for more details.
  • This complets the sample program to demo the usage of Spring method level security using @Secured annotation
  • Browsing the Program

    This source code for this program is downloaded in the folder specified by you (say, C:\Temp) as an eclipse project called
    springsecuritymethodlevel
    . All the required libraries have also been downloaded and placed in the same location. You can open this project from Eclipe IDE and directly browse the source code. See below for details of the project structure.

    Redeploying this sample program in a different web server

    The WAR file for this example is available as springsecuritymethodlevel.war in the download folder specified by you earlier (e.g. C:\Temp). The path for the WAR file is <DOWNLOAD_FOLDER_PATH>/springsecuritymethodlevel/dist/springsecuritymethodlevel.war.

    This WAR file can be deployed in any webserver of your choice and example can be executed.

    One thought on “Spring Security: Securing Methods Using @Secured Annotation

    • March 15, 2017 at 11:39 am
      Permalink

      Kindly share with us. how to create springsecuritymethodlevel-installer.jar

      Reply

    Leave a Reply

    Your email address will not be published. Required fields are marked *