Monday, 10 July 2017

Spring MVC Java Config : Part 4 Spring Security for Web Application

There are two main areas for application securities :    Authentication: Process of checking the user, who they claim to be.    
Authorization: Process of deciding whether an user is allowed to perform an activity within the application.



Spring security supports more then 20 Models for authentication :     
X.509 client certificate exchange     
LDAP Authentication     
OpenID authentication     
Java Open Source Single Sign On
......



1. TOOLS AND ENV

IDE : Spring Tool Suite 3.7.3 JDK : 
1.8 Tomcat : 8.0.18 
Spring : 4.2.6.RELEASE




2. POM.XML


spring-security-web and spring-security-config added



3. SECURITY CONFIG





1. SecurityWebAppInitializer equals below line in web.xml
<filter>
     <filter-name>springSecurityFilterChain</filter-name>
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
     <filter-name>springSecurityFilterChain</filter-name>
     <url-pattern>/*</url-pattern>
</filter-mapping>
2. SecurityConfig contains all the security related configurations
3. ServletInitializer to add SecurityConfig to root configuration



 4. USER DETAILS SERVICE



DaoAuthenticationProvider would use user details service to load user account and match with given password.




5. AUTHORIZATION CONTROLLER



logout must be POST then it would be registered to spring security to clear authorization context.





6. JSP AND JAVASCRIPT



CSRF token is per session.








7. RUN THE APPLICATION

Based on the log , when http://localhost:8080/04-spring-mvc-web-security/ is requested , no user has proper role detected , so system route user to http://localhost:8080/04-spring-mvc-web-security/login as configured in "SecurityConfig" class.







8. LOGIN SUCCESS





9. SOURCE CODE

https://github.com/junjun-dachi/spring-tutorials/tree/master/04-spring-mvc-web-security





Reference :

1. http://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html
2. https://spring.io/blog/2013/07/04/spring-security-java-config-preview-method-security/
3. https://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security/
4. http://stackoverflow.com/questions/25276152/spring-security-java-config-custom-authenticationprovider-and-userdetailsservi
5. http://stackoverflow.com/questions/22453550/custom-authentication-provider-not-being-called







No comments:

Post a Comment

Flag Counter