About Eugen Paraschiv
1. Introduction
This article is goint to focus on Login with Spring Security. We’re going to built on top of the simple Spring MVC example, as Spring MVC is a necessary part of setting up the login mechanism.
2. The Maven Dependencies
To add Maven dependencies to the project, please see the Spring Security with Maven article. Both standard spring-security-web and spring-security-config will be required.
3. The web.xml
The Spring Security configuration in the web.xml is simple – only anadditional filter added to the standard Spring MVC web.xml:
<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <display-name>Spring Secured Application</display-name> <!-- Spring MVC --> <servlet> <servlet-name>mvc</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>mvc</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <context-param> <param-name>contextClass</param-name> <param-value> org.springframework.web.context.support.AnnotationConfigWebApplicationContext </param-value> </context-param> <context-param> <param-name>contextConfigLocation</param-name> <param-value>org.baeldung.spring.web.config</param-value> </context-param> <listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener> <!-- Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping></web-app>
The filter – DelegatingFilterProxy – simply delegates to a Spring managed bean – the FilterChainProxy – which itself is able to benefit from full Spring bean lifecycle management and such.
2. The Spring Security configuration
The Spring configuration is mostly written in Java, but Spring Security configuraiton doesn’t yet support full Java and still needs to be XML for the most part. There is an ongoing effort to add Java based configuration for Spring Security, but this is not yet mature.
The XML config file is imported as a resource via Java based configuration:
@Configuration@ImportResource({ "classpath:webSecurityConfig.xml" })public class SecSecurityConfig { public SecSecurityConfig() { super(); }} The Spring Security XML Configuration – webSecurityConfig.xml:
<?xml version="1.0" encoding="UTF-8"?><beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans" xsi:schemaLocation="http://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spring-security-3.1.xsdhttp://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd"> <http use-expressions="true"> <intercept-url pattern="/login*" access="isAnonymous()" /> <intercept-url pattern="/**" access="isAuthenticated()"/> <form-login login-page='/login.html' default-target-url="/homepage.html" authentication-failure-url="/login.html?error=true" /> <logout logout-success-url="/login.html" /> </http> <authentication-manager> <authentication-provider> <user-service> <user name="user1" password="user1Pass" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager></beans:beans>
2.1. <intercept-url>
We are allowing anonymous access on /login so that users can authenticate. We are also securing everything else.
Note that the order of the <intercept-url> element is significant – the more specific rules need to come first, followed by the more general ones.
2.2. <form-login>
- login-page – the custom login page
- default-target-url – the landing page after a successful login
- authentication-failure-url – the landing page after an unsuccessful login
2.3. <logout>
The <logout> element is simply configured to go back to the login page.
2.4. <authentication-manager>
The Authenticaiton Provider is backed by a simple, in-memory implementation – InMemoryUserDetailsManager specifically – configured in plain text. This only exists in Spring 3.1 and above and is meant to be used for rapid prototyping when a full persistence mechanism is not yet necessary.
3. The Login Form
The login form page is going to be registered with Spring MVC using the straightforward mechainism to map views names to URLs with no need for an explicit controller in between:
registry.addViewController("/login.html"); This of course corresponds to the login.jsp:
<html><head></head><body> <h1>Login</h1> <form name='f' action="j_spring_security_check" method='POST'> <table> <tr> <td>User:</td> <td><input type='text' name='j_username' value=''></td> </tr> <tr> <td>Password:</td> <td><input type='password' name='j_password' /></td> </tr> <tr> <td><input name="submit" type="submit" value="submit" /></td> </tr> </table> </form></body></html>
The login form has the following relevant artifacts:
- j_spring_security_check – the URL where the form is POSTed to trigger the authentication process
- j_username – the user name
- j_password – the password
4. Configuring Login Further
We briefly discussed a few configurations of the login mechanism when we introduced the Spring Security XML Configuration above – let’s go into some detail now.
One reason to override most of the defaults in Spring Security is to hide the fact that the application is secured with Spring Security and minimize the information a potential atacker knows about the application.
Fully configured, the <form-login> element looks like this:
<form-login login-page='/login.html' login-processing-url="/perform_login" default-target-url="/homepage.html" authentication-failure-url="/login.html?error=true" always-use-default-target="true"/>
4.1. The Login page
The custom login page is configured via the login-page attribute on <form-login>:
login-page='/login.html'
If this is not specified, a default URL is used – spring_security_login – and Spring Security will generate a very basic Login Form at that URL.
4.2. The POST URL for Login
The default URL where the Login Form will POST to trigger the authentication process in Spring Security is /j_spring_security_check.
This can be overriden via the login-processing-url attribute on <form-login>:
login-processing-url="/perform_login"
4.3. The Landing page on Success
After a successfull Login process, the user is redirected to a page – which by default is the root of the web application.
This can be overridden via the default-target-url attribute on <form-login>:
default-target-url="/homepage.html"
In case the always-use-default-target is set to true, then the user is allways redirected to this page. If that attribute is set to false, then the user will be redirected to the previous page they wanted to visit before being promoted to authenticate.
4.4. The Landing page on Failure
Same as with the Login Page, the Login Failure Page is autogenerated by Spring Security at /spring_security_login?login_error by default.
This can be overridden via the authentication-failure-url attribute on <form-login>:
authentication-failure-url="/login.html?error=true"
5. Conclusion
In this example we configured a Login with Spring Security, disussing the Login Form and the Security Configuration.
The implementation of this simple Spring Security Login tutorial can be found in the github project – this is an Eclipse based project, so it should be easy to import and run as it is.
When the project runs locally, the sample html can be accessed at: http://localhost:8080/spring-security-login/login.html
Source : http://www.javacodegeeks.com/2013/05/spring-security-login.html
