Spring provides a configurable framework for implementing authentication and authorization for an application. The security framework provides ways to login and logout from an application. It also provides authentication at view level and method level. What’s more, it can also provide you with a login page! Here are some things that it provides
- Provide capabilities for login and logout
- control access to a link based on the role of the user.
- Provide the ability to hide certain portion of a page if a user does not have appropriate privileges.
- Link to a database or LDAP for authentication
In this tutorial we will look at declarative security implementation using XML.
The first step is to add the spring security jars to the classpath. The minimal jars are the Core and Configuration modles. The second step is to make the spring security namespace available in the XML. This can be achieved by using http://www.springframewor.org/schema/security/spring-secirty-3.0.xsd. Spring achieves the security by using a ServletFilter. This Filter intercepts all requests and implements the security related tasks. The only filter that needs to be implemented is the DelegatingFilterProxy. This filter delegates the request to instances of java.servlet.Filter.
Sample Program Overview
Lets look at an example that demonstrates spring security using XML. This is a simple example that intercepts a user request and presents a login page. Upon successful login it shows the success page and if unsuccessful, it shows an error message.
- User accesses a URL on a web application
- The web application refers to web.xml
- The web.xml matches the URL pattern
- The control is redirected to DispatcherServlet in Spring framework
- Spring framework finds that the all URLs are secured and hence displays login page to the user
- The user enters his login name and password
- Spring framework validates the login name and password by using the entries in Spring configuration XML and redirects to the accessed original URL
Create the main_page.jsp as shown below. This page is accessed by the end user and is displayed after successful login.
Note that this is the only JSP page required for this sample. No explicit coding is required to display Spring’s in-built login page.
Create the web.xml file as shown below.
Register Spring’s DispatcherServlet used to register handlers for processing the web request (see lines 29-38 below).
Define filter-mapping and filter for DelegatingFilterProxy (see lines 15-23 below). This filter shall delegate the call to a class that implements
and is registered as Spring bean.
Note: In this example we do not have to specifically create a class that implements
. This is automatically available to us when we configure our Spring configuration file using
in springsecurity-servlet.xml file
Also configure that ContextLoaderListener (see lines 25-27 below).
Finally provide the location of Spring’s configuration file in web.xml (see lines 10-13 below).
Configure Spring security using
tag (see lines 15-17 below).
Specify that all URLs should be intercepted by Spring security (see
attribute in line 16 below).
Also specify that access should be restricted only to those users who have the role
attribute on line 16).
Specify the authentication and authorization credentials for valid users (see lines 19-25 below). Note in particular the
tag using which the name, password and authorization role for a user is specified (see line 22 below).
This demonstrates the usage of specifying authentication and authorization information in Spring XML file.
This sample program has been packaged as a jar installer which will copy the source code (along with all necessary dependencies)on your machine and automatically run the program for you as shown in the steps below. As this sample program contains Java Server Pages (JSPs), you will need Java Development Kit (JDK preferably 1.5 or higher) on your machine so that the JSPs can be complied locally. Note that no other setup is required on your machine! Also please ensure that the port 8080 is not being used by any other program on your machine.
(Alternatively you can go the folder containing the springsecurityusingxml-installer.jar and execute the jar using
java -jar springsecurityusingxml-installer.jar
This source code for this program is downloaded in the folder specified by you (say, C:\Temp) as an eclipse project called
. All the required libraries have also been downloaded and placed in the same location. You can open this project from Eclipe IDE and directly browse the source code. See below for details of the project structure.
The WAR file for this example is available as springsecurityusingxml.war in the download folder specified by you earlier (e.g. C:\Temp). The path for the WAR file is <DOWNLOAD_FOLDER_PATH>/springsecurityusingxml/dist/springsecurityusingxml.war.
This WAR file can be deployed in any webserver of your choice and example can be executed.