Authorization: Process of deciding whether an user is allowed to perform an activity within the application.
Spring security supports more then 20 Models for authentication :
X.509 client certificate exchange
LDAP Authentication
OpenID authentication
Java Open Source Single Sign On
......
1. TOOLS AND ENV
IDE : Spring Tool Suite 3.7.3 JDK :
1.8 Tomcat : 8.0.18
Spring : 4.2.6.RELEASE
2. POM.XML
spring-security-web and spring-security-config added
3. SECURITY CONFIG
1. SecurityWebAppInitializer equals below line in web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3. ServletInitializer to add SecurityConfig to root configuration
4. USER DETAILS SERVICE
DaoAuthenticationProvider would use user details service to load user account and match with given password.
5. AUTHORIZATION CONTROLLER
logout must be POST then it would be registered to spring security to clear authorization context.
6. JSP AND JAVASCRIPT
CSRF token is per session.
7. RUN THE APPLICATION
Based on the log , when http://localhost:8080/04-spring-mvc-web-security/ is requested , no user has proper role detected , so system route user to http://localhost:8080/04-spring-mvc-web-security/login as configured in "SecurityConfig" class.
8. LOGIN SUCCESS
9. SOURCE CODE
https://github.com/junjun-dachi/spring-tutorials/tree/master/04-spring-mvc-web-security
Reference :
1. http://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html
2. https://spring.io/blog/2013/07/04/spring-security-java-config-preview-method-security/
3. https://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security/
4. http://stackoverflow.com/questions/25276152/spring-security-java-config-custom-authenticationprovider-and-userdetailsservi
5. http://stackoverflow.com/questions/22453550/custom-authentication-provider-not-being-called
No comments:
Post a Comment