Spring Security

Sunday, August 27, 2017 11:32 AM

Spring Security provides comprehensive security services for J2EE-based enterprise software application. It is powerful , flexible and
pluggable.

Spring supports majorly two operations.

1. Authentication
2. Authorization

Authentication (Prove who you say you are!) - process of establishing a principal.

Authorization (We know who you are but are you allowed to access what you want) - process of deciding whether a principal is allowed
to perform an action (admin,leader,member)

DelegatingFilterProxy:

Step 1: Register springSecurityFilterChain with war file

-> DelegatingFilterProxy is an implementaion of the javax.servlet.Filter which is provided by Spring Framework.

-> Once you define DelegatingFilterProxy in web.xml, you can declare the actual beans that do the filtering in actual spring
application.

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.spring.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/</url-pattern>
</filter-mapping>

Step 2: Add Spring Security File in war file.

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

<http auto-config="true" >

<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/home" access="permitAll" />
<intercept-url pattern="/admin**" access="hasRole('ADMIN')" />
<intercept-url pattern="/dba**" access="hasRole('ADMIN') and hasRole('DBA')" />
<form-login authentication-failure-url="/Access_Denied" />
</http>

<authentication-manager >
<authentication-provider>

SpringSecurity Page 1
 <authentication-provider>
<user-service>
<user name="bill" password="abc123" authorities="ROLE_USER" />
<user name="admin" password="root123" authorities="ROLE_ADMIN" />
<user name="dba" password="root123" authorities="ROLE_ADMIN,ROLE_DBA" />
</user-service>
</authentication-provider>
</authentication-manager>

</beans:beans>

Step 3 : Add the following spring security libraries to project build path.

1. spring-security-config-4.X.RELEASE.jar
2. spring-security-core-4.X.RELEASE.jar
3. spring-security-web-4.X.RELEASE.jar

Graphical Representation of Filter Proxy:

Spring Security Architecture:

Filter

SpringSecurity Page 2
Development steps:

1. Configure DelegatingFilterProxy in web.xml

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-clas>org.sf.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-patter>/</url-patter>
</filter-mapping>

Annotation approach

public class SecurityWebAppInit extends AbstractSecurityWebApplicationInitializer

{
}
2. Develop spring security file

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

<http auto-config="true" >

<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/home" access="permitAll" />
<intercept-url pattern="/admin**" access="hasRole('ADMIN')" />
<intercept-url pattern="/dba**" access="hasRole('ADMIN') and hasRole('DBA')" />
<form-login authentication-failure-url="/Access_Denied" />
</http>

<authentication-manager >
<authentication-provider>
<user-service>
<user name="bill" password="abc123" authorities="ROLE_USER" />
<user name="admin" password="root123" authorities="ROLE_ADMIN" />
<user name="dba" password="root123" authorities="ROLE_ADMIN,ROLE_DBA" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>

Annotation Approach :

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("abc").password("abc").roles("USER");
auth.inMemoryAuthentication().withUser("dba").password("dba").roles("DBA");
auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");
}

public void configure(HttpSecurity http) throws Exception {

http.authorizeRequests().antMatchers("/", "/home").permitAll().antMatchers("/dba**").access("hasRole('DBA)")
.antMatchers("/admin**").access("hasRole('ADMIN')");
}
}

Step 3: Configure DispatcherServlet in web.xml

Step 4: Develop Spring Configuration file to define Controller, ViewResolvers.

SpringSecurity Page 3
 Filter

Filter

Filter

Dispatcher Servlet Authentication Security

Manager Context

Controller Controller Controller

Delegates

Contains
UserDetailService

User Information
Loads UserDetails

Granted Authorities

SpringSecurity Page 4