If you would like to use expression language in Spring Security, you need to let know through an attribute namely “use-expressions” in the “http” tag as shown in Listing 15-19 below. There are various built-in expressions available as summarized below:
i. hasRole(‘role’) – checks whether the principal has the given ‘role’.
ii. hasAnyRole(‘role1′,’role2’,…) – checks whether the principal has any of the given roles.
iii. isAnonymous() – allows access to unauthenticated principal’s
iv. isAuthenticated() – allows access to authenticated or remembered principal’s.
Listing 15-19. Use of expressions in Spring Security configuration
|
1 2 3 4 5 6 7 |
<http use-expressions="true"> <intercept-url pattern="/admin*" access="hasRole('ROLE_ADMIN')"/> … </http> |
c. Custom authentication related page – If you would like to have your own custom authentication related pages, you have an option to specify the file as shown in Listing 15-20 below. It’s important to note that if you specify this, it mandatory to specify the logout element.
Listing 15-20. Custom login and logout in Spring Security configuration file
|
1 2 3 4 5 6 7 8 9 10 11 |
<http use-expressions="true" access-denied-page="/access.htm"> <form-login login-page="/login.htm" authentication-failure-url="/error.htm" default-target-url="/success.htm"/> <intercept-url pattern="/admin*" access="hasRole('ROLE_ADMIN')"/> … <logout/> </http> |
It is important to note that if you have your own custom login page, you need to follow certain rules as summarized below:
i. The username field should be named as “j_username” as shown below:
|
1 |
<input type="text" name="j_username"/> |
ii. The password field should be named as “j_password” as shown below:
|
1 |
<input type="password" name="j_password"/> |
iii. The form should be submitted as a post to “j_spring_security_check” as shown below:
|
1 2 3 4 5 |
<form action="<c:url value='j_spring_security_check'/>" method="POST"> … </form> |
d. Configuring the authentication manager – One of the very important configuration. Even though its common to go through an basic authentication manager using hard-coded username and password, we will have a database based authentication using classes which is provided by the Spring Security. This can be divided into various steps as summarized below:
i. Configure datasource – Listing 15-21 below shows basic datasource configuration.
Listing 15-21. Datasource configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
<beans:bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <beans:property name="driverClassName" value="${app.jdbc.driverClassName}"/> <beans:property name="url" value="${app.jdbc.url}" /> <beans:property name="username" value="${app.jdbc.username}" /> <beans:property name="password" value="${app.jdbc.password}" /> </beans:bean> <beans:beanCodeCxSpMiddle" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> <beans:property name="location" value="/WEB-INF/jdbc.properties"/> </beans:bean> |
ii. Configuring default JDBC user service bean – Listing 15-22 below shows using Spring security provided JDBC user service.
Listing 15-22. Configuring default JDBC user service provided by Spring Security Framework
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
<beans:bean id="jdbcUserService" class="org.springframework.security.provisioning. JdbcUserDetailsManager"> <beans:property name="dataSource" ref="dataSource"/> <beans:property name="authenticationManager" ref="authenticationManager"/> <beans:property name="enableGroups" value="true"/> <beans:property name="enableAuthorities" value="false"/> </beans:bean> |
iii. Configuring the actual authentication manager – Listing 15-23 below shows the configuration of the critical authentication manager.
Listing 15-23. Configuring authentication manager
|
1 2 3 4 5 6 7 8 9 |
<authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="jdbcUserService"> … </authentication-provider> </authentication-manager> |
iv. Password encoding – If you would like to having encoding for your stored password in the database, Spring Security provides adequate algorithms to do that. Mere configuration while configuring the authentication manager will do the trick as shown in Listing 15-24 below. In this sample a salt is also used to make the password more secure.
Listing 15-24. Configuring password encoder
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
<authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="jdbcUserService"> <password-encoder ref="passwordEncoder"> <salt-source ref="saltSource"/> </password-encoder> </authentication-provider> </authentication-manager> <beans:beanCodeCxSpMiddle" style="margin-left:108.0pt;mso-add-space:auto">ShaPasswordEncoder" id="passwordEncoder"> <beans:constructor-arg value="256"/> </beans:bean> <beans:bean class="org.springframework.security.authentication.dao. ReflectionSaltSource" id="saltSource"> <beans:property name="userPropertyToUse" value="salt"/> </beans:bean> |
4. Setting up the database – Since we will be using Spring Security recommended database structure, create the tables as shown in Figure 15-8 in previous section of this Chapter.
5. You are done. Put some dummy users into the database table and according to your intercept URL, Spring Security will kick in and challenge the user with their username and password.
Spring Security provides various built-in algorithms for password encoding which can be summarized as shown in Table 15-2 below. The details taken from the official Spring security documentation. Note that all implementations reside in the org.springframework.security.authentication.encoding package.
Page Visitors: 11024
Tomcy John
Latest posts by Tomcy John (see all)
- A Guide to Continuous Improvement for Architects - February 2, 2023
- Cloud-first Architecture Strategy - January 26, 2023
- Architecture Strategy and how to create One - January 24, 2023