Spring security offers a simple configuration based security for your web applications helping you secure your web application with out littering your business logic with any security code. It provides securing URL's based on the Role (Authorities), securing your business methods based on the ACL's.
The first step in hooking up the spring security to your web application is by specifying the DelegatingFilterProxy in your web.xml.
- <!--Spring security filter-->
- <filter>
- <filter-name>springSecurityFilterChain</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- </filter
- <filter-mapping>
- <filter-name>springSecurityFilterChain</filter-name>
- <url-pattern>/*</url-pattern>
- <dispatcher>REQUEST</dispatcher>
- <dispatcher>INCLUDE</dispatcher>
- <dispatcher>FORWARD</dispatcher>
- </filter-mapping>
- <!--End spring security filter-->
If you want to externalize all of your security related configuration into a separate file, you can do so and add that to your context location param.
- <context-param>
- <param-name>contextConfigLocation</param-name>
- <param-value>
- /WEB-INF/beans.xml , /WEB-INF/springSecurity.xml </param-value>
- </context-param>
Now comes the part of security configuration for your application, Adding the URL security patterns is pretty simple and straight forward. Add all the URL patterns which you want to secure and add the wild card pattern at the end. You need to have some default principal and role even for non logged in users as you need to give access to pages like log in, register and forgot password kind of functionality even to non logged in users.
I tried to add comments to pretty much every element which I am using here.
As an example I added just a wild card intercept url which make every page of my application secure. You need to exclude different urls based on the roles.
- <security:http entry-point-ref="myAuthenticationEntryPoint" session-fixation-protection="newSession" >
- <!--add any of your cusotom url patterns to protect-->
- <security:intercept-url pattern="/login/**" access="ROLE_ANONYMOUS"/>
- <security:intercept-url pattern="/register/**" access="ROLE_ANONYMOUS"/>
- <security:intercept-url pattern="/**" access="ROLE_USER"/>
- <security:logout logout-success-url="/home.htm"/>
- <security:anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
- </security:http>
- <!--name of my authenticationManager is authenticationManager-->
- <security:authentication-manager alias="authenticationManager"/>
- <!--Cutom login filter which replaces the default AUTHENTICATION_PROCESSING_FILTER -->
- <bean id="customizedFormLoginFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter" >
- <security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/><!--replace the default one-->
- <property name="defaultTargetUrl" value="/main.htm"/><!--After a successful login, the user will be taken to this page-->
- <property name="authenticationFailureUrl" value="/home.htm?error=true" /><!--Authentication failed? take him to error page-->
- <property name="authenticationManager" ref="myAuthenticationManager"/> <!--Here it is the custom authenticationManager, login magic goes here -->
- <property name="allowSessionCreation" value="true" /> <!--Allow the application to create sessions-->
- </bean>
- <!--My custom auth manager-->
- <bean id="myAuthenticationManager" class="com.teja.security.CustomAuthunticationManager" />
- <!-- Automatically receives AuthenticationEvent messages -->
- <bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
- <!--My authuntication entry point, can be replaced easily if we are doing custom commence of invalid auths.-->
- <bean id="myAuthenticationEntryPoint"
- class="com.teja.security.CustomAuthenticationEntryPoint" >
- <property name="loginFormUrl" value="/home.htm"/>
- </bean>
Following is my custom implementation of AuthenticationEntryPoint, which currently is not doing any thing except leveraging the commence to its super class which is the spring implementation of AuthenticationProcessingFilterEntryPoint. I hooked it to add any custom logic.
- public class CustomAuthenticationEntryPoint extends AuthenticationProcessingFilterEntryPoint {
- private static final Log logger = LogFactory.getLog(CustomAuthenticationEntryPoint.class);
- @Override
- public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException) throws IOException, ServletException {
- super.commence(request, response, authException);
- }
- }
This is my custom authentication manager which actually does the custom login of the user. It will throw an BadCredentialsException in case of invalid credentials or thorws a AuthenticationServiceException in case of a service error (Database error, SQL error or any other error).
- public class CustomAuthunticationManager implements AuthenticationManager {
- @Autowired
- UserManagerService userManagerService;
- throw new BadCredentialsException("Invalid username/password");
- }
- User user = null;
- GrantedAuthority[] grantedAuthorities = null;
- try{
- }
- catch(InvalidCredentialsException ex){
- throw new BadCredentialsException(ex.getMessage());
- }
- throw new AuthenticationServiceException("Currently we are unable to process your request. Kindly try again later.");
- }
- if (user != null) {
- List<Role> roles = user.getAssociatedRoles();
- grantedAuthorities = new GrantedAuthority[roles.size()];
- for (int i = 0; i < roles.size(); i++) {
- Role role = roles.get(i);
- GrantedAuthority authority = new GrantedAuthorityImpl(role.getRoleCode());
- grantedAuthorities[i] = authority;
- }
- }
- else{
- throw new BadCredentialsException("Invalid username/password");
- }
- return new UsernamePasswordAuthenticationToken(user, authentication.getCredentials(), grantedAuthorities);
- }
- }
At the client side (jsp), the simple configuration you need to do is post the request to"/j_spring_security_check" with parameters "j_username" and "j_password".
That's pretty much all you need to do for enabling spring security to your existing web application. I will try to explain about doing the method security using ACL's and configuring the view using spring security tags in another post.
29 comments:
Nice. Very helpful. Thanks for posting this!
Thanks for a great example of a custom authentication manager!
It's really helpful but I have an understanding problem. If I try to setup a solution like yours I will get the error that no authentication-provider is defined in my xml-file. Did you leave the part out? Because that would be interesting for me.
Nothing was missed. If you can give me the exact error you are facing, I will try to help you solve the problem
Hello Teja,
Thanks for good article.
I'm trying to implement authentication without form login. I tried to implement my own EntryPoint, AuthenticationProvider, etc., but it is not working. Have You ever tried to implement something similar? Will be very grateful for any useful links or examples. Thanks once more.
Teja,
I am getting error for UserManagerService and Role can you tell me the class implementation or it is a spring security class
UserManagerService is a custom service which will fetch the user and roles by username and password. Role is my cusom object which finally endedup being a GrantedAutority which is a spring impl.
http://static.springframework.org/spring-security/site/apidocs/org/springframework/security/ui/AbstractProcessingFilter.html is also helpful in understanding the http security.
hello teja,
i try to implement my own custom authentication Manager based on your example code, but faceing this problem:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_authenticationManager': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: No authentication providers were found in the application context
??? i have listed the authentication Manager the way you shown. Or is it a namespace problem and my bean-tag is not recognized by the security app? thanks for your help and time...
hi teja,
i am getting springcontextholder object null and authentication null. can you help me out!
Hi Teja, I use your example but have loop redirect starting my application, have you any idea what the problem is?
Nice straightforward example and very helpful. Thanks!
While I have been able to customize the JasperServer to use existing iBatis/Struts infrastructure and integrate authentication using existing app, there is one thorn.
How can I change the login page to accept another field? Say I want user to enter Domain in addition to username and password. And use the three to authenticate and eventually show reports. I have been able to write my custom Dao that validates jasper user from my DB, but how do I get new attribute - domain to reach my Dao, so that it can be used to authenticate the user?
While customizing the login page to accept additional fields is straightforward - you just need to modify login.jsp and make it your login page - making the new values reach \'some Java handler\' is an issue.
Appreciate inputs on this.
Nicely covered all the details
Thanks
SN
Hi all,
I wonder what is the implementation for org.springframework.security.ui.webapp.AuthenticationProcessingFilter?
I tried this example in my project using Spring security 3 and the server complains on during start up as the class cannot be found? Does anyone know what I am missing?
Thanks
Hi Teja,
This example is very nice.Could you please post rest of the implementaion calless also.Thanks in Advance.
Regards,
Raju k
I am very new to this kind of stuff.Please help to post all the classes you implemented.
Thanks,
Raju k
I tried this code but spring is complaining about list of providers.
Property 'providers' threw exception; nested exception is java.lang.IllegalArgumentException: A list of AuthenticationProviders is required
how can i fix this..tnx
Hi Teja can we make the custom authentication to use user id and password instead of user name... we have that requirement in our applciation please help me
Hi,
Is it possible to show an example using a pre-authentication scenario, where a user is already authenticated by another system (e.g. SiteMinder) and we only want to use Spring security to get the authentication details from the http request header ?
Thanks,
EDH
The problem with this post is the same problem with a lot of documentation and probably the issue your colleagues were referring to when they complained about the spring documentation. You don't explain how all these pieces work in unison to achieve the goal. In fact, you don't even explain what the specific goal of the code is. You just show us each individual piece and it's up to us to infer the rest. It's like looking at a picture with a magnifying glass. You can see each little piece clearly, but you can't see the big picture without lots of mental gymnastics. I appreciate the post and I'm not trying to be harsh. It's just hard and time consuming to properly relay complex information.
To solution the error:
java.lang.IllegalArgumentException: No authentication providers were found in the application context.
You should add the tag <custom-authentication-provider> in the bean definition myAuthenticationManager.
Could your page be any slimmer?
Hi
Can somebody tell me how to use spring security for any OS(Linux/Windows)authentication? Please reply asap.
Thanks,
AP
Very very nice article on spring security.
I would be very grateful if you can provide Tag definitions as well.
like -
what do u mean by "access" attribute in above tab etc.
Else every thing is great
very nice article. To read more on spring security, you can refer to these link
Spring Security 3 – Form Login and Logout Tutorial
Spring Security 3 – MVC integration Tutorial
To read in detail, browse this link Spring Security login example using database
Post a Comment