Wednesday, March 5, 2014

Spring security using Java configuration

Authentication can be done in 2 ways in spring - using context xml files or using the latest java based configuration. This article explains how to implement spring security using java configurations.
The below steps need to be followed in order to configure security in spring applications.

  • Define spring security security filter chain.
  • Create custom user details service
  • Security configuration


1Define spring security security filter chain.
       public class WebAppInitializer implements WebApplicationInitializer {
              public void onStartup(ServletContext servletContext)
                     throws ServletException {

              .
              .
              .
             
              servletContext.addFilter("springSecurityFilterChain",
                           new DelegatingFilterProxy("springSecurityFilterChain"))
                     .addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class),
                                         true, "/*");
              .
              .
              .
              }
       }
TThe above approach eliminates the need for using a web.xml. The springsecurityfilterchain is defined in this java
fifile instead of web.xml.


Create custom user details service class.
       @Service
       public class AppUserDetailsService implements UserDetailsService {

              @Autowired
              private AppUserRepository appUserRepository;

              @Override
              @Transactional
              public UserDetails loadUserByUsername(String userId)
                     throws UsernameNotFoundException {
                     UserValue userValue = null;
                     List<GrantedAuthority> grantedAuthorities = new  ArrayList                               <GrantedAuthority>();
                     AppUser appUser = null;
                     appUser = appUserRepository.findByUserId(userId);
                     if (appUser != null) {
                            grantedAuthorities.add(new SimpleGrantedAuthority(appUser
                                  .getAppRole().getName()));
                            userValue = new UserValue(
                                  appUser.getId(), appUser. getUserId(),
                                  appUser.getPassword(), grantedAuthorities,
                                   appUser.getFirstName(), appUser.getLastName());
                     }
                     return userValue;
              }
       }
 There are different ways to configure security, this approach uses a custom User details service which loads the user and role information from the db and returns it to the framework, the framework then stores the user and role information in the session for further processing

1Create security configuration java class

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

       @Autowired
       AppUserDetailsService appUserDetailsService;

       @Autowired
       public void configureGlobal(AuthenticationManagerBuilder auth)
                     throws Exception {
              auth.userDetailsService(appUserDetailsService);
       }

       @Override
       public void configure(WebSecurity builder) throws Exception {
              builder.expressionHandler(webexpressionHandler()).ignoring()
                           .antMatchers("/resources/**");
       }

       @Bean(name = "webexpressionHandler")
       public DefaultWebSecurityExpressionHandler webexpressionHandler() {
              return new DefaultWebSecurityExpressionHandler();
       }

       @Override
       protected void configure(HttpSecurity http) throws Exception {
              http.csrf().disable().authorizeRequests().
                                  .antMatchers("/loginPage").permitAll().
                                  anyRequest().fullyAuthenticated().and()                                                   .formLogin().loginPage("/loginPage").
                                  loginProcessingUrl("/j_spring_security_check")
                                  .usernameParameter("j_username")
                                   .passwordParameter("j_password").
                                  failureUrl("/errorPage")
                                   .defaultSuccessUrl("/myhome").permitAll().and().
                                  logout().logoutUrl("/j_spring_security_logout")
                     .logoutSuccessUrl("/loginPAge").deleteCookies("JSESSIONID")
                           .invalidateHttpSession(true);
       }
}



The configure method can be used to define the loginpage, logout page, the success url, failure url and whether to delete cookies and invalidate session while logout. 
  • The configure method which accepts WebSecurity can be used to tell the resource folders so that those can be ignored by the security frameworks.
  •  Now all the urls except the one in the resources folder will be intercepted by the security framework and will be redirected to the login page
  •  Once the user enters the user id and password, the AppUserDetailsService.loadUserByUsername will be called by passing the current login userid. This method loads user information and passes it to the security framework
  •  The framework then validates the credentials and if it is successful, then displays the home page based on the configuration defined in the security config class.
  •  When the user logs out, the session is invalidated and the controls goes back to the login page. 


Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)