Spring Security Introduction Tutorial

Introduction:

Spring Security provides security services for J2EE-based enterprise software applications.

Application Security Areas:

There are two main areas for application securities.

  1. Authentication: Process of checking the user, who they claim to be.
  2. Authorization: Process of deciding whether an user is allowed to perform an activity within the application.

Authentication Models supported by Spring Security:

Spring security supports more then 20 Models for authentication. Some of them are

  1. X.509 client certificate exchange
  2. LDAP Authentication
  3. OpenID authentication
  4. Java Open Source Single Sign On

…..

Spring Security Modules

Spring security code has been divided in different JARs(Can be considers as modules)

  1. Core (spring-security-core.jar) : Required Module. Contains core authentication and access-contol classes and interfaces, remoting support and basic provisioning APIs.
  2. Web (spring-security-web.jar): Required* if web authentication services and URL-based access-control is required.Contains filters and related web-security infrastructure code.
  3. Remoting : Provides intergration with Spring Remoting.
  4. Config : Contains the security namespace parsing code. You need it if you are using the Spring Security XML namespace for configuration.
  5. LDAP : LDAP authentication and provisioning code. Required if you need to use LDAP authentication or manage LDAP user entries.
  6. ACL : Used to apply security to specific domain object instances within your application.
  7. CAS : If you want to use Spring Security web authentication with a CAS single sign-on server.
  8. OPENID :Used to authenticate users against an external OpenID server.

Note: Details extracted from Official doc for Spring

Spring Security Configuration

Web.xml Configuration:

In order to enable spring security for your web application, you have to add below filter declaration in your web.xml.

 

<filter>
 <filter-name>springSecurityFilterChain</filter-name>
 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 </filter>
<filter-mapping>
 <filter-name>springSecurityFilterChain</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>

All request now will go through “springSecurityFilterChain” filter which will apply app security.

ApplicationContext-security.xml Configuration:

As Spring security is enabled till now we can now configure the security XML for different security related options like “Authentication Model”, Login page, Access denied page etc..

Namespace

Namespace configuration allows you to supplement the traditional Spring beans application context syntax with elements from additional XML schema. In order to use security namespace in application context, “spring-security-config” jar needs to be in classpath. Schema declaration that needs to be there in “application-context” XML.

 

<beans:beans xmlns="http://www.springframework.org/schema/security"
 xmlns:beans="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans
 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
 http://www.springframework.org/schema/security
 http://www.springframework.org/schema/security/spring-security-3.1.xsd">
 ...
 </beans:beans>

With this configuration we can use “security” as the default namespace rather than “beans”.

Authentication Model:

Here we decide which authentication model you will use for your web application. Option could be any of the above(LDAP, Open ID..). Once decided same could be configured via “<authentication-manager></authentication-manager>” tag.
Ex 1 :

 <authentication-manager>
 <authentication-provider>
 <user-service>
 <user name="user1" password="password" authorities="ROLE_USER, ROLE_ADMIN" />
 <user name="user2" password="password" authorities="ROLE_USER" />
 </user-service/>
 </authentication-provider>
 </authentication-manager>

Here user and their roles have been hard coded in XML itself and user will be authenticated and authorized on given basis. Two user has been created with password as “password” and there are roles are “ROLE_USER, ROLE_ADMIN”.
Ex. 2 :

 <authentication-manager>
 <authentication-provider ref="ldapActiveDirectoryAuthProvider"></authentication-provider>
 </authentication-manager>

<beans:bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
 <beans:constructor-arg value="abc.xyz.com"></beans:constructor-arg>
 <beans:constructor-arg value="ldaps://abc.xyz.com:636"></beans:constructor-arg>
 </beans:bean>

Here user will be authenticated and authorized via LDAP server(In current Situation Active Directory)
Note : Port no will be 636 for secured connection and will 393 for non secured.

Ex 3 :

 <authentication-manager>
 <authentication-provider>
 <jdbc-user-service data-source-ref="dataSource" />
 </authentication-provider>
 </authentication-manager>

Here user will be authenticated and authorized on the basis of table(USERS & AUTHORIZATION) in DB. datasource will be used to access the given tables in DB. Structure of the tables should be.

 CREATE TABLE USERS (USERNAME  VARCHAR2, PASSWORD  VARCHAR2,ENABLED VARCHAR2);

 CREATE TABLE AUTHORITIES(USERNAME   VARCHAR2, AUTHORITY  VARCHAR2);

Note*: You can have multiple <authentication-provider> elements to define different authentication sources and each will be consulted in turn.

Till now you have enabled the Spring security for your web application and configured the “Authentication- Manager” through which user can be authenticated and authorised. We might have to configure login, logout page and role based URL access.

auto-config:

At the basic we can configure all the basic thing(login, logout, role based) with this attribute. It is a shorthand of

<http>
 <form-login />
 <http-basic />
 <logout />
 </http>

Login page configure

<form-login login-page='/login.jsp' default-target-url='/home.jsp' always-use-default-target='true' />

 

Here we have configured login page as “login.jsp” and user will be redirected to “home.jsp” after login(By default-target-url) always-use-default-target is used to set if user will be redirected to “default-target-url” at all time or not?

If true user will be redirected to home.jsp even user was on any other page when session timed-out.

If false user will not be redirected to home.jsp always means user will be on the same page where users session has timed out or on home.jsp when login for the first time.

Role based URL access configure

<intercept-url pattern="/**" access="ROLE_USER" />

Note*: Now all the URl can be accessed by only those who have the authority of “ROLE_USER”. Static part configuration to bypass all security.

<http pattern=”/login.jsp*” security=”none”/>

 

Complete configuration will be something like

 <http pattern="/js/*" security="none" ></http>
<http use-expressions="true">
 <intercept-url pattern="/secure/**" access="hasRole('ROLE_SUPERVISOR')"/>
 <intercept-url pattern="/*" access="isAuthenticated()" />
 <intercept-url pattern="/**" access="isAuthenticated()"/>
 <intercept-url pattern="/" access="isAuthenticated()" />
 </http>

Access denied page configuration

 <access-denied-handler error-page="/accessdenied.jsp" />

Logout page & logout link configuration

  <logout logout-url="/logout" logout-success-url="/logoutPage.jsp" />

Session Management Configuration

 <session-management>
 <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
 </session-management>

Here we have defined that user can have 1 session at max.

error-if-maximum-exceeded is used to define what should be happend when user tries to create more then one session.

If it is true : User will get error page stating that user can not have more then one session if it already has one active session.
If it is false: User will not get any error while trying to login to application(Creating another session) but other session will get invalidated and user will have only have new session.

By | 2017-07-21T21:35:30+00:00 April 28th, 2012|Spring Security|21 Comments

About the Author:

21 Comments

  1. Angad March 12, 2014 at 12:54 pm - Reply

    No Code is displayed in your post.

    • Vivekanand Gautam March 12, 2014 at 5:51 pm - Reply

      Please check now. Thanks for letting me about this problem.

  2. Mahi November 6, 2015 at 11:22 am - Reply

    Nice explanation

  3. kannan January 27, 2016 at 11:42 am - Reply

    Nicely explained, and informative. kudos bro.

  4. Swamy March 4, 2016 at 11:34 am - Reply

    Key points have been explained well….thanks

  5. boe March 17, 2016 at 6:59 am - Reply

    good

  6. ashu April 27, 2016 at 5:45 am - Reply

    The top right corner orange icon is not working in this page. plz fix it asap.

  7. Shashi May 20, 2016 at 2:41 pm - Reply

    Awesome!!!

  8. David Pham August 12, 2016 at 1:29 am - Reply

    Nice example

  9. iSumanth September 8, 2016 at 7:33 am - Reply

    Thank you..!! Nice explanation, expecting depth on extension to this article with various scenarios.

  10. Amit Solanki September 26, 2016 at 6:36 am - Reply

    Good Work !!!

  11. shyam November 16, 2016 at 2:14 pm - Reply

    please post one simple example for login page.

  12. rachit January 9, 2017 at 6:56 am - Reply

    If I need users from my already made database

  13. sunil February 15, 2017 at 2:24 pm - Reply

    Nice demonstration

  14. Dinesh Krishnan March 14, 2017 at 9:43 am - Reply

    Thanks for sharing very useful code snippets

  15. Ram March 14, 2017 at 4:24 pm - Reply

    Nice Effort

  16. Mohit March 26, 2017 at 12:37 am - Reply

    Awesome !!!!
    Explained in simple words

  17. Lucky July 19, 2017 at 7:40 am - Reply

    SImple and step forward…. very effective.

  18. naveen July 26, 2017 at 5:52 am - Reply

    Great

  19. deepak August 27, 2017 at 5:19 pm - Reply

    I have seen many tutorials but this one is the best .

Leave A Comment