Friday, 30 May 2014

Spring Secutiry HandsOn

Spring Security – Authentication and Authorization

In this article we will learn about how to develop a spring security framework which covers both authentication and authorization. I have explained each step in detail along with snapshot of creating each entity. I hope that you also get quickly Hands On Spring Security.
Tools to be used:
  1.  Eclipse 3.5
  2.  Spring 3.0.5
  3.  JBoss v5.0

We will use following major libraries (refer to Libraries snapshot for complete list of jars required both at compile time and runtime:  

  1.  Spring Core 3.0.5
  2. Spring Security 3.0.5
  3.  Spring MVC 3.0.5
  4.  Spring AOP 3.0.5


Steps to be followed:
  1. Create a dynamic web project in Eclipse and configure libraries.
  2.  Create a package structure.
  3.   Configure Spring related details in Web.xml.
  4. Create a spring-security.xml (can be renamed as per convenience).
  5.  Create a mvc-dispatcher-servlet.xml (can be renamed as per convenience).
  6.   Create a Controller class to secure methods.
  7.    Create a welcome page with links to your Controller request mapping.
  8.  Create an authorization/unauthorization page where user will be redirected in case of authentication success/failure respectively.
  9.  Create a logout page where user will be redirected in case of logout.
  10. Create an EAR project, link with your webapp project and deploy in JBoss v5.0









Step 1: Create a dynamic web project in Eclipse and configure libraries
In Eclipse, go to File -> New -> Dynamic Web Project (refer snapshot below)






  
Enter Project Name, such asSpringSecure (refer snapshot below)

This will create a project named SpringSecure in eclipse workspace (refer snapshot below)



To configure libraries, copy and paste following jars to your project WEB-INF -> lib folder (refer snapshot below):



Step 2: Create a package structure
In Project Explorer frame, select src folder, right click it, go to New -> Package and enter package name there. Click on Finish button (refer snapshot below)



Step 3: Configure Spring related details in Web.xml
Enter details with regard to Welcome Page, Spring MVC, Spring Context Loader and Spring Security Filter in web.xml (refer snapshot below)







Step 4: Create a spring-security.xml
In Project Explorer frame, go to your project, right click WEB-INF folder and create a new XML file “spring-security.xml” (refer snapshot below). It will create a blank xml file.



Enter details in spring-security.xml regarding which URL you want to be secured and their role authority.
Also configure the username and password for an authorized user. Spring security by itself will match the username and password entered during login screen with the details provided in spring-security.xml.

Following is the snapshot of spring-security.xml:



The tag <intercept-url> indicates the URL to be secured. Like in our case, we will secure any url having pattern “/adminUser*”. 
Also list the authorized Role for this url in access parameter.
Like in our case, a user having role “ROLE_ADMIN” will be allowed to access a pattern having “/adminUser*”.
The tag <user name=”xxxxx” password=”xxxx” authorities=”xxxx”/> indicates the Spring security framework to allow successful authentication to a user having these details.

Like in our case, a user having username as “admin” and password as “admin” will be successfully authenticated. Such user will have an authority which is mentioned against “authorities” parameter.
Spring security framework will load the above user details in an Object and will match with the details entered by a user in Login screen. If the details get match, then only authorization is checked further otherwise user is shown appropriate error message in Login screen.


Step 5: Create a mvc-dispatcher-servlet.xml
In Project Explorer frame, go to your project, right click WEB-INF folder and create a new XML file “mvc-dispatcher-servlet.xml”. It will create a blank xml file.
Enter details in “mvc-dispatcher-servlet.xml” file regarding your base package and view resolver.
Following is the snapshot of “mvc-dispatcher-servlet.xml” file:




  


Step 6: Create a Controller class to secure methods.
In Project Explorer frame, go to your project, right click package “com.secure”  and create a new JAVA class “AdminController” (refer snapshot below)









Enter details in “AdminContoller.java” regarding request mapping, methods body and their return parameters.
Note – We secured following two urls in spring-security.xml. Request mapping is entered in AdminController.java for the same. This will secure methods such as “welcomeAdminUser” and “welcomeSupportUser”.
1) “/adminUser”
2) “/supportUser”

Refer to snapshot below:




Step 7: Create a welcome page with links to your Controller request mapping.
To request for a page with secured URL’s, we need to create a JSP page which we will have hyperlinks to send request to our application.
Right click “WebContent” folder in project and create a new folder “jsp”. In this folder we will create “home.jsp”.
Following is the content to be added in “home.jsp”.



Note – We have already added “/jsp/home.jsp” in our web.xml as welcome page.
This page will open by default when we hit our application url.

Step 8: Create an authorization/unauthorization page where user will be redirected in case of authentication success/failure respectively
After successful authorization, we will redirect the user to authorization.jsp and display message there.
And in case of unauthorized user, we will redirect the user to unauthorization.jsp.
In “jsp” folder we will create “authorize.jsp” and “unauthorize.jsp”.
Following is the content to be added in “authorize.jsp”:



Following is the content to be added in “unauthorize.jsp”:



Note – In our “AdminController.java”, we have already added code statement to redirect to “authorize.jsp”. See snapshot below:



Step 9: Create a logout page where user will be redirected in case of logout
Once user has been successfully authenticated and authorized, Spring Security framework stores the client related information in cookies. So in order to re-login, we need to first logout from the application.
We will create a new JSP with name “logout.jsp”.
Following is the snapshot of “logout.jsp”:



Note –We have already provided “Logout” hyperlink to user in our “authorize.jsp”.
Refer snapshot below for the same:



That’s all with coding; Spring Security framework will by itself take care of Login Page. Yes, in case we do not specify our custom Login page, then Spring Security framework by itself display a Login page.

Step 10: Create an EAR project, link with your webapp project and deploy in JBoss v5.0
Go to File -> New -> Select ‘Enterprise Application Project’ and enter EAR name like ‘SpringSecureEAR’.



Do remember to choose ‘SpringSecure’ (webapp project) as dependency when creating EAR. Click on Finish button.


Add the newly created “SpringSecureEAR” resource on the server (refer snapshot below)



After this click on Finish button and then start server.

  
To Test the Security, we need to hit the following URL:


This will send the request to our application, and a home page will be displayed as following:



Click on first link, this will trigger the Spring Security as request is for “/adminUser” page.

The inbuilt Login Page will be displayed for authentication of the user. Refer to the snapshot below:



Enter User as “admin” and Password as “admin” and Submit the page.
As we have defined a user tag already in “spring-security.xml”, therefore authentication will be done on basis of what we have entered in login page with the details present in xml file.

 Upon successful authentication, the framework checks for authorization.
The admin user is having a role “ROLE_ADMIN” as already defined in user tag in spring-security.xml file. Refer to snapshot below:

<user name="admin" password="admin" authorities="ROLE_ADMIN" />

As authority of admin user matches with the role needed to access “\adminUser” url, therefore it will get successfully authorized.
An authorization page will be displayed as per return type mentioned in our “AdminController.java”.



On click of “Logout” link, user will be redirected to our controller. There we can build the logic to clear any session data available, if any.



In case user is not authorized, then following page is displayed:




No comments:

Post a Comment