Simple Spring Security example using Basic Authentication Provider
Quite a few times we require to authenticate a user for accessing pages developed using Spring MVC. This authentication can be achieved in number of ways. One way is to use web.xml security where roles are defined. However some part of this security implementation depends on the application server used. For example Tomcat checks to see that the sent username and password match a user entry in tomcat-users.xml. Thus according to the application server used, the changes would have to be done. Also only if one application server is to be used, still for each instance of the application server these changes would have to be done. Using Spring Security Authentication this is not the case. As spring security is part of the war file, it is independent of the application server.For illustrating this will use this Simple MVC project. This project displays a list of employees when the URL- viewAllEmployees.do is hit. If you try to hit this url that is protected and you are currently unauthenticated, a popup window appears and you enter a particular username/password.
Lets Begin-
Our project will be as follows-
To the pom.xml add the spring security dependencies-
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.test</groupId> <artifactId>employee-management-system</artifactId> <packaging>war</packaging> <version>0.0.1-SNAPSHOT</version> <name>employee-management-system Maven Webapp</name> <url>http://maven.apache.org</url> <properties> <spring.security.version>3.2.0.RELEASE</spring.security.version> </properties> <dependencies> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>3.8.1</version> <scope>test</scope> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> <version>4.0.5.RELEASE</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>4.0.5.RELEASE</version> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>jstl</artifactId> <version>1.2</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version></version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version></version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version></version> </dependency> </dependencies> <build> <finalName>employee-management-system</finalName> <plugins> <plugin> <groupId>org.apache.tomcat.maven</groupId> <artifactId>tomcat7-maven-plugin</artifactId> <version>2.2</version> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-war-plugin</artifactId> <version>2.4</version> </plugin> </plugins> </build> </project>
In the security-config.xml we specify the url to be intercepted. We can instruct it to intercept all urls. Currently we have only intercepted the /viewAllEmployees.do. Also for authentication currently we have hardcoded existing users and roles. We use user-service to define in memory usernames and roles as follows-
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/viewAllEmployees.do" access="hasRole('ROLE_USER')"/>
<http-basic/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="javainuse" password="password" authorities="ROLE_USER,ROLE_ADMIN"/>
<user name="test" password="password" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
In the web.xml we add the DelegatingFilterProxy which is delegating proxy to automatically intercept a URL with a particular pattern to apply spring security. Currently all urls are going to be intercepted by this filter.
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <!-- Configure the Disptcher Servlet --> <servlet> <servlet-name>Dispatcher</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <!-- Filter the incoming requests for the .do pattern --> <servlet-mapping> <servlet-name>Dispatcher</servlet-name> <url-pattern>*.do</url-pattern> </servlet-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/Dispatcher-servlet.xml, /WEB-INF/security-config.xml</param-value> </context-param> <!-- Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>Now deploy the application on Tomcat-
. http://localhost:8080/employee-management-system/viewAllEmployees.do
As only the user having role ROLE_USER can visit this page, enter the credentials
username -javainuse and password-password or
username-test and password-password.
Download Source Code
Download it - Simple Spring Security example using Basic Authentication Provider