Spring Security - bahkified/Notes GitHub Wiki

Spring Security can be used to secure a Java web application and has good integration with Spring MVC. It is configured through XML, programmatically, or through annotations in the Spring MVC controllers. The Spring Security framework consists of several components that will work together to check authentication and authorization of a user. Each component can be customized through configuration.

A security scheme is first defined in the configuration, which will map different URLs in the application to various authentication and authorization levels and roles. If the scheme decides that a user must be authenticated for a requested URL, the Spring Security framework will enter the security entry point. This entry point will leverage the authentication manager, which handles user authentication through the authentication provider. It is in the authentication provider that a user details service can be defined, which will look up a user.

Servlet filters can be defined to intercept URLs before it reaches the Spring Security entry point. It is possible to attempt authorization of a user before it reaches the entry point. In order to do this, a filter must implement AbstractAuthenticationProcessingFilter. This filter will determine whether or not an incoming request requires authentication and if so, it will attempt the authentication through the authentication manager.

###Example XML Configuration

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="
            http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

    <bean class="net.laureate.security.sso.SSOAuthenticationSuccessHandler" id="authenticationSuccessHandler">
        <property name="defaultTargetUrl" value="/app/test"/>
        <property name="alwaysUseDefaultTargetUrl" value="true"/>
    </bean>

    <bean class="net.laureate.security.sso.SSOAuthenticationFailureHandler" id="authenticationFailureHandler">
        <property name="defaultFailureUrl" value="/app/authFail"/>
    </bean>

    <bean class="net.laureate.security.sso.SSOAuthenticationEntryPoint" id="authenticationEntryPoint">
        <property name="authenticationService" ref="authService"/>
    </bean>

    <security:http pattern="/js/**" security="none"/>
    <security:http pattern="/css/**" security="none"/>

    <security:http create-session="ifRequired" auto-config="false" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <security:intercept-url pattern="/app/authFail" access="permitAll()"/>
        <security:intercept-url pattern="/app/login" access="permitAll()"/>
        <security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>

        <security:custom-filter ref="ssoAuthenticationFilter" position="PRE_AUTH_FILTER"/>
        <security:logout invalidate-session="true" logout-success-url="/login" logout-url="/logout"/>
    </security:http>

    <bean class="net.laureate.security.service.AuthenticationServiceImpl" id="authService"/>

    <bean class="net.laureate.security.sso.SSOAuthenticationProvider" id="ssoAuthenticationProvider">
        <property name="authenticationService" ref="authService"/>
    </bean>

    <bean class="org.springframework.security.web.util.matcher.AndRequestMatcher" id="requireAuthRequestMatcher">
        <constructor-arg type="java.util.List">
            <list>
                <bean class="net.laureate.security.sso.SSONotRequestMatcher">
                    <constructor-arg index="0" type="java.lang.String" value="/app/login"/>
                    <constructor-arg index="1" value=""/>
                    <constructor-arg index="2" value="true"/>
                </bean>
                <bean class="net.laureate.security.sso.SSONotRequestMatcher">
                    <constructor-arg index="0" type="java.lang.String" value="/app/authFail"/>
                    <constructor-arg index="1" value=""/>
                    <constructor-arg index="2" value="true"/>
                </bean>
            </list>
        </constructor-arg>
    </bean>

    <bean class="net.laureate.security.sso.SSOAuthenticationFilter" id="ssoAuthenticationFilter">
        <property name="postOnly" value="false"/>

        <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
        <property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
        <property name="requestMatcher" ref="requireAuthRequestMatcher"/>

        <property name="authenticationManager" ref="authManager"/>
    </bean>

    <security:authentication-manager alias="authManager">
        <security:authentication-provider ref="ssoAuthenticationProvider"/>
    </security:authentication-manager>

</beans>

There are a fair number of pieces in this configuration.

  • ssoAuthenticationFilter bean configures a custom filter, which is inserted in the PRE_AUTH_FILTER position in this case. This filter declares the way successful or unsuccessful authentication attempts are handled. The URLs that this filter are applied to are declared in the requestMatcher bean. This bean also contains a reference to the authentication manager. Multiple custom filters can be declared and added to the Spring Security filter chain. By default, filters can be placed before, after, or at several predefined locations on the chain (Spring Security filter ordering).
    • In order to tell the web application to use the Spring Security filter chain, the web.xml must be setup to use the Spring DelegatingFilterProxy, and to specify a configuration file:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee">

    <display-name>UofL Billing</display-name>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <servlet>
        <servlet-name>app</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>app</servlet-name>
        <url-pattern>/app/*</url-pattern>
    </servlet-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>WEB-INF/app-servlet.xml</param-value>
    </context-param>

</web-app>
  • <security:http …> tag specifies the entry point for this scheme, session management, the URLs to intercept, etc. Custom filters are declared and positioned within this tag, as are the configuration of the login / logout pages, if necessary. If a URL is configured to be intercepted for security, the request is redirected to the entry point.
  • authenticationEntryPoint bean is defined and used as the entry point for the security scheme.
  • <security:authentication-manager … > tag configures the authentication manager of this security scheme. The authentication provider and user details service, among other things, are declared here.

This particular configuration will allow all requests to the /js/ and /css/ folders. The two URLs …/app/authFail and …/app/login do not require any authentication. All other URLs must be authenticated in order to gain access.

##Resources

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️