Below are the steps to configure spring security in an web application
1. Add user & roles in the application/web server in case of JBOSS user and roles can be created in C:\JBOSS\jboss-eap-6.4\bin\add-user.bat
2. Add below dependency in pom
<spring.security.version>4.0.1.RELEASE</spring.security.version>
<!-- Spring security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<scope>compile</scope>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<scope>compile</scope>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring.security.version}</version>
</dependency>
3. Add the below ones in dispatcher-servlet.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
..
…
<security:http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
<security:custom-filter position="PRE_AUTH_FILTER" ref="j2eePreAuthFilter" />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref='preAuthenticatedAuthenticationProvider' />
</security:authentication-manager>
<bean id="preAuthenticatedAuthenticationProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
</bean>
<bean id="preAuthenticatedUserDetailsService"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService" />
<bean id="j2eePreAuthFilter"
class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationDetailsSource">
<bean
class="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource">
<property name="mappableRolesRetriever">
<bean
class="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever" />
</property>
<property name="userRoles2GrantedAuthoritiesMapper">
<bean
class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
<property name="convertAttributeToUpperCase" value="false" />
<property name="attributePrefix" value=""/>
</bean>
</property>
</bean>
</property>
</bean>
<bean id="preAuthenticatedProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<bean id="httpRequestAccessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false" />
<!-- <property name="decisionVoters">
<list>
<ref bean="roleVoter" />
</list>
</property> -->
<constructor-arg ref="roleVoter"/>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" />
<bean id="securityContextHolderAwareRequestFilter"
class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter" />
<!--end Spring-Security -->
4. Add below ones in web.xml , have appropriate role names pertaining to the project.
<security-constraint>
<display-name>welcome</display-name>
<web-resource-collection>
<web-resource-name>welcome</web-resource-name>
<description/>
<url-pattern>/welcome</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>traveller</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>traveller</role-name>
</security-role>
<security-constraint>
<display-name>status</display-name>
<web-resource-collection>
<web-resource-name>status</web-resource-name>
<description/>
<url-pattern>/welcome</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>traveller-status</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>traveller-status</role-name>
</security-role>
<security-constraint>
<display-name>desk</display-name>
<web-resource-collection>
<web-resource-name>desk</web-resource-name>
<description/>
<url-pattern>/status</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>traveller-desk</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>traveller-desk</role-name>
</security-role>
1. Add user & roles in the application/web server in case of JBOSS user and roles can be created in C:\JBOSS\jboss-eap-6.4\bin\add-user.bat
2. Add below dependency in pom
<spring.security.version>4.0.1.RELEASE</spring.security.version>
<!-- Spring security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<scope>compile</scope>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<scope>compile</scope>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring.security.version}</version>
</dependency>
3. Add the below ones in dispatcher-servlet.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
..
…
<security:http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
<security:custom-filter position="PRE_AUTH_FILTER" ref="j2eePreAuthFilter" />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref='preAuthenticatedAuthenticationProvider' />
</security:authentication-manager>
<bean id="preAuthenticatedAuthenticationProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
</bean>
<bean id="preAuthenticatedUserDetailsService"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService" />
<bean id="j2eePreAuthFilter"
class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationDetailsSource">
<bean
class="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource">
<property name="mappableRolesRetriever">
<bean
class="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever" />
</property>
<property name="userRoles2GrantedAuthoritiesMapper">
<bean
class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
<property name="convertAttributeToUpperCase" value="false" />
<property name="attributePrefix" value=""/>
</bean>
</property>
</bean>
</property>
</bean>
<bean id="preAuthenticatedProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<bean id="httpRequestAccessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false" />
<!-- <property name="decisionVoters">
<list>
<ref bean="roleVoter" />
</list>
</property> -->
<constructor-arg ref="roleVoter"/>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" />
<bean id="securityContextHolderAwareRequestFilter"
class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter" />
<!--end Spring-Security -->
4. Add below ones in web.xml , have appropriate role names pertaining to the project.
<security-constraint>
<display-name>welcome</display-name>
<web-resource-collection>
<web-resource-name>welcome</web-resource-name>
<description/>
<url-pattern>/welcome</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>traveller</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>traveller</role-name>
</security-role>
<security-constraint>
<display-name>status</display-name>
<web-resource-collection>
<web-resource-name>status</web-resource-name>
<description/>
<url-pattern>/welcome</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>traveller-status</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>traveller-status</role-name>
</security-role>
<security-constraint>
<display-name>desk</display-name>
<web-resource-collection>
<web-resource-name>desk</web-resource-name>
<description/>
<url-pattern>/status</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>traveller-desk</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>traveller-desk</role-name>
</security-role>
No comments:
Post a Comment