美文网首页
Spring Security Hello World Anno

Spring Security Hello World Anno

作者: lovePython | 来源:发表于2015-08-17 11:13 被阅读168次

    Technologies used :

    • Spring 3.2.8.RELEASE
    • Spring Security 3.2.3.RELEASE
    • Eclipse 4.2
    • JDK 1.6
    • Maven 3
    • Tomcat 7 (Servlet 3.x)

    Few Notes
    This tutorial is using WebApplicationInitializer to load the Spring Context Loader automatically, which is supported in Servlet 3.x container only, for example, Tomcat 7 and Jetty 8.
    Since we are using WebApplicationInitializer, the web.xml file is NOT required.

    Spring Security annotations are supported in older Servlet 2.x container, for example, Tomcat 6. If you use the classic XML file to load the Spring context, this tutorial is still able to deploy on Servlet 2.x container, for example, Tomcat 6

    1. Project Demo

    2. Directory Structure

    Review the final directory structure of this tutorial.


    spring-security-helloworld-annotation-directory

    3. Spring Security Dependencies

    To use Spring security, you need spring-security-web and spring-security-config.

    pom.xml

    <properties> 
    <jdk.version>1.6</jdk.version> 
    <spring.version>3.2.8.RELEASE</spring.version>  
    <spring.security.version>3.2.3.RELEASE</spring.security.version> 
    <jstl.version>1.2</jstl.version> 
</properties> 

<dependencies> 
    <!-- Spring 3 dependencies --> 
    <dependency> 
        <groupId>org.springframework</groupId> 
        <artifactId>spring-core</artifactId> 
        <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
        <groupId>org.springframework</groupId> 
        <artifactId>spring-web</artifactId> 
        <version>${spring.version}</version> 
     </dependency> 

    <dependency> 
        <groupId>org.springframework</groupId> 
        <artifactId>spring-webmvc</artifactId> 
        <version>${spring.version}</version> 
    </dependency> 

    <!-- Spring Security --> 
    <dependency> 
        <groupId>org.springframework.security</groupId> 
        <artifactId>spring-security-web</artifactId> 
        <version>${spring.security.version}</version> 
    </dependency> 
    <dependency> 
        <groupId>org.springframework.security</groupId> 
        <artifactId>spring-security-config</artifactId> 
        <version>${spring.security.version}</version> 
    </dependency> 
    
    <!-- jstl for jsp page --> 
    <dependency> 
        <groupId>jstl</groupId> 
        <artifactId>jstl</artifactId> 
        <version>${jstl.version}</version> 
    </dependency> 
</dependencies>

    4. Spring MVC Web Application

    A simple controller :

    • If URL =/welcome or /, return hello page.
    • If URL =/admin, return admin page.
    • If URL =/dba, return admin page.

    Later, we will secure the /admin and /dba URLs.

    HelloController.java

    package com.mkyong.web.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class HelloController { 
    @RequestMapping(value = { "/", "/welcome**" }, method = RequestMethod.GET) 
    public ModelAndView welcomePage() { 
        ModelAndView model = new ModelAndView(); 
        model.addObject("title", "Spring Security Hello World"); 
        model.addObject("message", "This is welcome page!"); 
        model.setViewName("hello"); 
        return model; 
    } 

    @RequestMapping(value = "/admin**", method = RequestMethod.GET) 
    public ModelAndView adminPage() { 
        ModelAndView model = new ModelAndView(); 
        model.addObject("title", "Spring Security Hello World"); 
        model.addObject("message", "This is protected page - Admin Page!");   
        model.setViewName("admin"); 
        return model; 
    } 

    @RequestMapping(value = "/dba**", method = RequestMethod.GET) 
    public ModelAndView dbaPage() { 
        ModelAndView model = new ModelAndView(); 
        model.addObject("title", "Spring Security Hello World"); 
        model.addObject("message", "This is protected page - Database Page!");  
        model.setViewName("admin"); 
        return model; 
    }
}

    Two JSP pages.

    hello.jsp

    <%@page session="false"%>
<html>
    <body> 
         <h1>Title : ${title}</h1> 
         <h1>Message : ${message}</h1>
     </body>
</html>

    admin.jsp

    <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page session="true"%>
<html>
    <body> 
        <h1>Title : ${title}</h1> 
        <h1>Message : ${message}</h1> 
        <c:if test="${pageContext.request.userPrincipal.name != null}"> 
            <h2>Welcome : ${pageContext.request.userPrincipal.name} | <a href="<c:url value="/logout" />" > Logout</a></h2> 
        </c:if>
    </body>
</html>

    5. Spring Security Configuration

    5.1 Create a Spring Security configuration file, and annotated with @EnableWebSecurity

    SecurityConfig.java

    package com.mkyong.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter { 
    @Autowired 
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {   
        auth.inMemoryAuthentication().withUser("mkyong").password("123456").roles("USER");  
        auth.inMemoryAuthentication().withUser("admin").password("123456").roles("ADMIN");  
        auth.inMemoryAuthentication().withUser("dba").password("123456").roles("DBA"); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
        http.authorizeRequests() .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")  
                                               .antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')") .
                                               and().formLogin(); 
    }
}

    The equivalent of the Spring Security xml file :

    <http auto-config="true"> 
    <intercept-url pattern="/admin**" access="ROLE_ADMIN" /> 
    <intercept-url pattern="/dba**" access="ROLE_ADMIN,ROLE_DBA" /> 
</http> 

<authentication-manager> 
    <authentication-provider> 
        <user-service> 
            <user name="mkyong" password="123456" authorities="ROLE_USER" /> 
           <user name="admin" password="123456" authorities="ROLE_ADMIN" /> 
          <user name="dba" password="123456" authorities="ROLE_DBA" />
        </user-service> 
    </authentication-provider> 
</authentication-manager>

    5.2 Create a class extends AbstractSecurityWebApplicationInitializer, it will load the springSecurityFilterChain automatically.

    SpringSecurityInitializer.java

    package com.mkyong.config.core;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer { 
    //do nothing
}

    The equivalent of Spring Security in web.xmlfile :

    <filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy </filter-class> 
</filter> 
<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping>

    6. Spring MVC Configuration

    6.1 A Config class, define the view’s technology and imports above SecurityConfig.java

    .

    AppConfig.java

    package com.mkyong.config;import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
import org.springframework.web.servlet.view.JstlView;

@EnableWebMvc
@Configuration
@ComponentScan({ "com.mkyong.web.*" })
@Import({ SecurityConfig.class })
public class AppConfig { 
    @Bean 
    public InternalResourceViewResolver viewResolver() { 
        InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();    
        viewResolver.setViewClass(JstlView.class); viewResolver.setPrefix("/WEB-INF/pages/");  
        viewResolver.setSuffix(".jsp"); 
        return viewResolver; 
    } 
}

    The equivalent of the Spring XML file :

    <context:component-scan base-package="com.mkyong.web.*" /> 
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> 
    <property name="prefix"> 
        <value>/WEB-INF/pages/</value> 
    </property> 
    <property name="suffix"> 
        <value>.jsp</value> 
    </property> 
</bean>

    6.2 Create aInitializer class, to load everything.

    SpringMvcInitializer.java

    package com.mkyong.config.core;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
import com.mkyong.config.AppConfig;
public class SpringMvcInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {   
    @Override 
     protected Class<?>[] getRootConfigClasses() { 
         return new Class[] { AppConfig.class }; 
     } 
    
     @Override 
     protected Class<?>[] getServletConfigClasses() { 
         return null; 
     } 

     @Override 
      protected String[] getServletMappings() { 
           return new String[] { "/" }; 
      } 
}
```
Done.
> **Note** In Servlet 3.x container environment + Spring container will detect and loads theInitializer classes automatically.

##7. Demo

7.1. Welcome Page – http://localhost:8080/spring-security-helloworld-annotation/welcome
![spring-security-helloworld-annotation-welcome](https://img.haomeiwen.com/i722827/6a1c17599ab19d12.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
7.2 Try to access`/admin` page, Spring Security will intercept the request and redirect to `/login`
, and a default login form is displayed.
![spring-security-helloworld-annotation-login](https://img.haomeiwen.com/i722827/8a3080a9da3d1d2a.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
7.3. If username and password is incorrect, error messages will be displayed, and Spring will redirect to this URL `/login?error`.
![spring-security-helloworld-annotation-login-error](https://img.haomeiwen.com/i722827/96cfe6690c426a0b.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
7.4. If username and password is correct, Spring will redirect the request to the original requested URL and display the page.
![spring-security-helloworld-annotation-admin](https://img.haomeiwen.com/i722827/6e18350c03b497de.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)
7.5. For unauthorized user, Spring will display the 403 access denied page. For example, user “mkyong” or “dba” try to access the `/admin` URL.
![spring-security-helloworld-annotation-403](https://img.haomeiwen.com/i722827/b93d6cb7cf992cb7.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)

    相关文章

      网友评论

          本文标题:Spring Security Hello World Anno

          本文链接:https://www.haomeiwen.com/subject/fenwqttx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|Spring Security Hello World Anno|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!