Spring Book – Chapter 15 – Web Application Security with Spring

If you would like to use expression language in Spring Security, you need to let know through an attribute namely “use-expressions” in the “http” tag as shown in Listing 15-19 below. There are various built-in expressions available as summarized below:

i.      hasRole(‘role’) – checks whether the principal has the given ‘role’.
ii.      hasAnyRole(‘role1′,’role2’,…) – checks whether the principal has any of the given roles.
iii.      isAnonymous() – allows access to unauthenticated principal’s
iv.      isAuthenticated() – allows access to authenticated or remembered principal’s.

Listing 15-19. Use of expressions in Spring Security configuration

c. Custom authentication related page – If you would like to have your own custom authentication related pages, you have an option to specify the file as shown in Listing 15-20 below. It’s important to note that if you specify this, it mandatory to specify the logout element.

Listing 15-20. Custom login and logout in Spring Security configuration file

It is important to note that if you have your own custom login page, you need to follow certain rules as summarized below:

i.      The username field should be named as “j_username” as shown below:

ii.      The password field should be named as “j_password” as shown below:

iii.      The form should be submitted as a post to “j_spring_security_check” as shown below:

d. Configuring the authentication manager – One of the very important configuration. Even though its common to go through an basic authentication manager using hard-coded username and password, we will have a database based authentication using classes which is provided by the Spring Security. This can be divided into various steps as summarized below:

i.      Configure datasource – Listing 15-21 below shows basic datasource configuration.

Listing 15-21. Datasource configuration

ii.      Configuring default JDBC user service bean – Listing 15-22 below shows using Spring security provided JDBC user service.

Listing 15-22. Configuring default JDBC user service provided by Spring Security Framework

iii.      Configuring the actual authentication manager – Listing 15-23 below shows the configuration of the critical authentication manager.

Listing 15-23. Configuring authentication manager

iv.      Password encoding – If you would like to having encoding for your stored password in the database, Spring Security provides adequate algorithms to do that. Mere configuration while configuring the authentication manager will do the trick as shown in Listing 15-24 below. In this sample a salt is also used to make the password more secure.

Listing 15-24. Configuring password encoder

4. Setting up the database – Since we will be using Spring Security recommended database structure, create the tables as shown in Figure 15-8 in previous section of this Chapter.

5. You are done. Put some dummy users into the database table and according to your intercept URL, Spring Security will kick in and challenge the user with their username and password.

Spring Security provides various built-in algorithms for password encoding which can be summarized as shown in Table 15-2 below. The details taken from the official Spring security documentation. Note that all implementations reside in the org.springframework.security.authentication.encoding package.

Page Visitors: 10981

The following two tabs change content below.
Tomcy John

Tomcy John

Blogger & Author at javacodebook
He is an Enterprise Java Specialist holding a degree in Engineering (B-Tech) with over 10 years of experience in several industries. He's currently working as Principal Architect at Emirates Group IT since 2005. Prior to this he has worked with Oracle Corporation and Ernst & Young. His main specialization is on various web technologies and acts as chief mentor and Architect to facilitate incorporating Spring as Corporate Standard in the organization.
Tomcy John

Latest posts by Tomcy John (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *