Review
In the previous section, we have implemented the Java classes and organized them accordingly: domain, repository, service, and controller. In this section, we will create the necessary configuration files, which are mainly XML files, and discuss them thoroughly.Table of Contents
Part 1: Introduction and Functional SpecsPart 2: Java classes
Part 3: XML configuration
Part 4: HTML Files
Part 5: Running the Application
Configuration
There are two important configuration files required to secure our application with Spring Security:- spring-security.xml (arbitrary name)
- web.xml
spring-security.xml
This contains the core Spring Security configuration.Let's examine further the contents of this file:
the http tag
This means the path /resources should be ignored by Spring Security; therefore it will not be secured. Why do you want to do this? Mainly because these are static images, CSS, and JavaScript files that don't need to be secured.
the second http tag
This contains the core security rules of our application. In previous versions of Spring Security, you're only allowed to have one http element.
- auto-config is a shorthand for the following (see more):
- use-expressions allows us to use SPEL (Spring EL expressions) support (see more)
intercept urls
Here we declare URL patterns to be protected. Notice the use of SPEL hasRole and permitAll (see more)
form login
This declares our login settings:
- login-page: the URL path of our login page
- authentication-failure-url: the URL where a user will be redirected after a failed login
- default-target-url: the URL where a user will be redirected after a successful login
denied handler
This declares the URL where a user will be redirected after a denied access.
authentication manager
This is similar with the login element.
- logout-success-url: the URL where a user will be redirected after a successful logout
- logout-url: the URL path of our logout page
- authentication-manager: registers an AuthenticationManager that provides authentication services (see more)
- authentication-provider: this is a shorthand for configuring a DaoAuthenticationProvider which loads user information from a UserDetailsService (see more)
- user-service-ref: this allows us to declare a custom UserDetailsService
- password-encoder: this allows us to declare various password encoders such as md5 and sha (see more)
web.xml
Besides the usual servlet declaration, the web.xml is where you declare the Spring Security filter and name of configuration file to read from.To enable Spring Security, follow these guidelines:
- Add a DelegatingFilterProxy
- Add a springSecurityFilterChain mapping
- Add a contextConfigLocation You must declare your applicationContext.xml and spring-security.xml here
Here's our complete web.xml file:
Datasource
Since we're using JPA and Spring Data JPA to simplify data access, we must also declare the corresponding configuration files. Please read the inline comments for more info.spring-data.xml
This contains all datasource-related configuration.
Next
In the next section, we will turn our attention towards the view layer which mainly consists of JSP files. Click here to proceed.|
Share the joy:
|
Subscribe by reader
Subscribe by email
Share
Hi I have a question.
ReplyDeleteWhere is the applicationContext.xml file contents?
You can find it in the source code.
ReplyDeleteI am new to Spring security. Please explain
ReplyDeletewhat is "customUserDetailsService" in above code? how is it pointing to CustomUserDetailsService class?
Hi Anon,
ReplyDeletekrams have written
in his applicationContext.xml
That will load this("customUserDetailsService") service automatically.
:)
For more info you can read about autowiring in spring or simply serach for tag component-scan.
:)
/* Excuse me for my english */
ReplyDeleteFirst, I thank Mr. Krams for this very interesting tutorial. and i wonder if
someone can help me by posting an updated pom.xml for this project, in fact there is some problems in the "goldin" dependency.
thank you
evgeny-goldin.org
ReplyDeleteEvgeny Goldin Repository
http://evgenyg.artifactoryonline.com/evgenyg/plugins-releases-local
hi, thank you for the tutorial it was very helpful for me. Actually I am trying to implement the same concept on a PostgreSQL 9.1 database but I'm facing some difficulties to do that. I made the necessary changes related to the database class driver, POM file, persistence file and springd-data file. The web application launch correctly but when I try to log in I receive the following error:
ReplyDelete[ERROR] [tomcat-http--9 02:23:28] (JDBCExceptionReporter.java:logExceptions:234) ERREUR: la colonne user0_.id n'existe pas
Position: 8; I thing it related to the mapping between Hibernate and my JDBC postgresql driver,
how can I fic this, please?
Thanks
PLEASE stop spreading bad practices. DO NOT USE MD5 to hash passwords.
ReplyDeleteuse org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
can you tell me how to load customUserDetailsService in appication-context.xml file. I am getting error for the same.
ReplyDeleteWhen I try to add Filter like this
ReplyDeletespringSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
It prompts the following exception
>>>>>>>>>>>>>>>>>>>>>>
SEVERE: Exception starting filter springSecurityFilterChain
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' is defined
at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:529)
at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1095)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:277)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1097)
at org.springframework.web.filter.DelegatingFilterProxy.initDelegate(DelegatingFilterProxy.java:326)
at org.springframework.web.filter.DelegatingFilterProxy.initFilterBean(DelegatingFilterProxy.java:236)
at org.springframework.web.filter.GenericFilterBean.init(GenericFilterBean.java:194)
at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:277)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:258)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:382)
at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:103)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4650)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5306)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
<<<<<<<<<<<<<<<<<<<<
Where is the bean "springSecurityFilterChain" declared? I suggest you use http://pastebin.com/ when posting the code
DeleteHi
ReplyDeleteIf I want two separate login pages, one for users , and one for admins, what should I do?
how should I change spring-security.xml ?