Recently I got a chance working with Spring security, formerly known as Acegi Security for spring. While working with the framework, I heard comments from friends and colleagues saying that spring security lacks proper documentation. So thought of sharing a little knowledge. By the way, this is first ever blog posting and kindly excuse me and let me know any errors and improvements.
Spring security offers a simple configuration based security for your web applications helping you secure your web application with out littering your business logic with any security code. It provides securing URL's based on the Role (Authorities), securing your business methods based on the ACL's.
The first step in hooking up the spring security to your web application is by specifying the DelegatingFilterProxy in your web.xml.
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
REQUEST
INCLUDE
FORWARD
If you want to externalize all of your security related configuration into a separate file, you can do so and add that to your context location param.
contextConfigLocation
/WEB-INF/beans.xml , /WEB-INF/springSecurity.xml
Now comes the part of security configuration for your application, Adding the URL security patterns is pretty simple and straight forward. Add all the URL patterns which you want to secure and add the wild card pattern at the end. You need to have some default principal and role even for non logged in users as you need to give access to pages like log in, register and forgot password kind of functionality even to non logged in users.
I tried to add comments to pretty much every element which I am using here.
As an example I added just a wild card intercept url which make every page of my application secure. You need to exclude different urls based on the roles.
Following is my custom implementation of AuthenticationEntryPoint, which currently is not doing any thing except leveraging the commence to its super class which is the spring implementation of AuthenticationProcessingFilterEntryPoint. I hooked it to add any custom logic.
public class CustomAuthenticationEntryPoint extends AuthenticationProcessingFilterEntryPoint {
private static final Log logger = LogFactory.getLog(CustomAuthenticationEntryPoint.class);
@Override
public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException) throws IOException, ServletException {
super.commence(request, response, authException);
}
}
This is my custom authentication manager which actually does the custom login of the user. It will throw an BadCredentialsException in case of invalid credentials or thorws a AuthenticationServiceException in case of a service error (Database error, SQL error or any other error).
public class CustomAuthunticationManager implements AuthenticationManager {
@Autowired
UserManagerService userManagerService;
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
if(StringUtils.isBlank((String) authentication.getPrincipal()) || StringUtils.isBlank((String) authentication.getCredentials())){
throw new BadCredentialsException("Invalid username/password");
}
User user = null;
GrantedAuthority[] grantedAuthorities = null;
try{
user = userManagerService.getUser((String) authentication.getPrincipal(), (String) authentication.getCredentials());
}
catch(InvalidCredentialsException ex){
throw new BadCredentialsException(ex.getMessage());
}
catch(Exception e){
throw new AuthenticationServiceException("Currently we are unable to process your request. Kindly try again later.");
}
if (user != null) {
List
roles = user.getAssociatedRoles();
grantedAuthorities = new GrantedAuthority[roles.size()];
for (int i = 0; i < roles.size(); i++) {
Role role = roles.get(i);
GrantedAuthority authority = new GrantedAuthorityImpl(role.getRoleCode());
grantedAuthorities[i] = authority;
}
}
else{
throw new BadCredentialsException("Invalid username/password");
}
return new UsernamePasswordAuthenticationToken(user, authentication.getCredentials(), grantedAuthorities);
}
}
At the client side (jsp), the simple configuration you need to do is post the request to"/j_spring_security_check" with parameters "j_username" and "j_password".
That's pretty much all you need to do for enabling spring security to your existing web application. I will try to explain about doing the method security using ACL's and configuring the view using spring security tags in another post.