Tech Kraft

Documentum, AWS, Java, Ruby on Rails, Linux, Windows, App Servers

Setting up Spring Security in Eclipse – II

Setting up Spring Security – Using URL based Security

 Scenario: There is a bank called NoFraudBank, which has two branches – HisBranch and HerBranch. Each branch has 4 employees – a Manager, a Teller Supervisor, and two Tellers. Each branch has one account, being a small privately owned bank. The bank allows the account holders to deposit or withdraw money. The bank employees can charge fees to the account and see an admin view of the account, with some comments that the bank employees have entered for each account.

 Download and unzip the latest Spring Security jar files from http://www.springsource.org/download/community?project=Spring%2520Security

Copy the following files from the above unzipped folder into the Web/WEB-INF/lib folder:

standard.jar

org.springframework.aop-3.1.1.RELEASE.jar

spring-security-acl-3.1.x.RELEASE.jar

spring-security-config-3.1.0.RELEASE.jar

spring-security-core-3.1.x.RELEASE.jar

spring-security-taglibs-3.1.x.RELEASE.jar

spring-security-web-3.1.x.RELEASE.jar

———————————————————————

Modify Web.xml

<?xml version="1.0" encoding="UTF-8"?>

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"

xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"

version="2.5">

<display-name>Spring ACL Demo</display-name>

<welcome-file-list>

<welcome-file>index.jsp</welcome-file>

</welcome-file-list>

<context-param>

<param-name>webAppRootKey</param-name>

<param-value>springacldemo_root</param-value>

</context-param>

<servlet>

<servlet-name>springacldemo</servlet-name>

<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

<load-on-startup>1</load-on-startup>

</servlet>

<servlet-mapping>

<servlet-name>springacldemo</servlet-name>

<url-pattern>*.htm</url-pattern>

</servlet-mapping>

<welcome-file-list>

<welcome-file>login.jsp</welcome-file>

</welcome-file-list>

<!-- - Location of the XML file that defines the root application context

- Applied by ContextLoaderListener. -->

<context-param>

<param-name>contextConfigLocation</param-name>

<param-value>

WEB-INF\applicationContext-security.xml

</param-value>

</context-param>

<!-- - Loads the root application context of this web app at startup. -

The application context is then available via - WebApplicationContextUtils.getWebApplicationContext(servletContext). -->

<listener>

<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

</listener>

<!-- Spring security uses filters to enforce security. The springSecurityFilterChain

tells the application context to load the security specific configuration

in applicationContext-security.xml. -->

<filter>

<filter-name>springSecurityFilterChain</filter-name>

<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

</filter>

<filter-mapping>

<filter-name>springSecurityFilterChain</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

</web-app>

———————————————————————

Create a new xml called WEB-INF/applicationContext-security.xml which is mentioned in web.xml under context-param.

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"

xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

                       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<http pattern="/login.jsp" security="none"/>

<http auto-config="true">

<intercept-url pattern="/viewAccount.htm"

access="ROLE_ACCHOLDER,ROLE_MANAGER,ROLE_SUPERVISOR,ROLE_TELLER" />

<intercept-url pattern="/viewAccountAdmin.htm"

access="ROLE_MANAGER,ROLE_SUPERVISOR,ROLE_TELLER" />

<intercept-url pattern="/viewEmployees.htm" access="ROLE_MANAGER" />

<form-login login-page="/login.jsp" default-target-url="/viewAccount.htm"

always-use-default-target="false" authentication-failure-url="/login.htm?authfailed=true" />

<logout invalidate-session="true" logout-url="/logout.jsp"

logout-success-url="/login.htm?loggedout=true" />

</http>

<authentication-manager>

<authentication-provider>

<!-- <password-encoder hash="plaintext" /> -->

<user-service>

<user name="HeManager" password="test" authorities="ROLE_MANAGER" />

<user name="HisSupe" password="test" authorities="ROLE_SUPERVISOR" />

<user name="HisTeller1" password="test" authorities="ROLE_TELLER" />

<user name="HisTeller2" password="test" authorities="ROLE_TELLER" />

<user name="HisAccHolder" password="test" authorities="ROLE_ACCHOLDER" />

<user name="SheManager" password="test" authorities="ROLE_MANAGER" />

<user name="HerSupe" password="test" authorities="ROLE_SUPERVISOR" />

<user name="HerTeller1" password="test" authorities="ROLE_TELLER" />

<user name="HerTeller2" password="test" authorities="ROLE_TELLER" />

<user name="HerAccHolder" password="test" authorities="ROLE_ACCHOLDER" />

</user-service>

</authentication-provider>

</authentication-manager>

</beans:beans>

———————————————————————

Create a new xml called WEB-INF/springacldemo-servlet.xml which is mentioned in web.xml under <servlet-mapping><servlet-name>

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">

<!-- This configuration will take any url request that matches *.htm pattern

and map it to file with the same name but with a .jsp extension using the

UrlFilenameViewController and InternalResourceViewResolver provided by spring. -->

<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">

<property name="mappings">

<value>

/*.htm=urlController

</value>

</property>

</bean>

<bean id="urlController"

class="org.springframework.web.servlet.mvc.UrlFilenameViewController" />

<!-- Because of the viewResolver, we do not have to specify our internal

structure. -->

<bean id="viewResolver"

class="org.springframework.web.servlet.view.InternalResourceViewResolver">

<property name="viewClass"

value="org.springframework.web.servlet.view.JstlView" />

<property name="prefix" value="WEB-INF/jsp/" />

<property name="suffix" value=".jsp" />

</bean>

</beans>

———————————————————————

Create the files mentioned in the above xml file. login.jsp goes under WebContent, all others go under WEB-INF, so they are not directly accessible by url.

login.jsp

<%@ page session="true"%>

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>

<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>

<html>

<head>

<title>Login: Spring Security Web Application</title>

<style TYPE="text/css">

.errormessage {

color: red;

}

.successmessage {

}

</style>

"javascript">

function doSubmit(userid) {

document.getElementById('usernameField').value = userid;

document.getElementById('passwordField').value = "test";

}

</head>

<body onload='document.loginForm.j_username.focus();'>

<form id="loginForm" name="loginForm" action="j_spring_security_check"

method="post">

<c:if test="${not empty param.authfailed}">

<span id="infomessage" class="errormessage"> Login failed due

to: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />. </span>

</c:if>

<c:if test="${not empty param.authfailed}">

<span id="infomessage" class="errormessage"> Login failed due

to: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />. </span>

</c:if>

<c:if test="${not empty param.newpassword}">

<span id="infomessage" class="errormessage"> Login failed due

to: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />. </span>

</c:if>

<c:if test="${not empty param.acclocked}">

<span id="infomessage" class="errormessage"> Login failed due

to: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />. </span>

</c:if>

<c:if test="${not empty param.accdisabled}">

<span id="infomessage" class="errormessage"> Login failed due

to: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />. </span>

</c:if>

<c:if test="${not empty param.loggedout}">

<span id="infomessage" class="successmessage"> You have been

successfully logged out. </span>

</c:if>

<table>

<tr>

<td>Username</td>

<td><input id="usernameField" type="text" name="j_username"

value="<c:out value="${SPRING_SECURITY_LAST_USERNAME}"/>" />

</td>

</tr>

<tr>

<td>Password</td>

<td><input id="passwordField" type="password" name="j_password" />

</td>

</tr>

<tr>

<td colspan="2" align="right"><input type="button"

value="Login" />

</td>

</tr>

</table>

<br />

<table style="height: 28px;" border=1 bordercolor=#cccccc

cellspacing=0 cellpadding=2 width=100%>

<tr>

<td align=center colspan=2>Login as</a></td>

</tr>

<tr>

<td align=center>His Branch</a>

</td>

<td align=center>Her Branch</a>

</td>

</tr>

<tr>

<td align=center><input type="submit" value="He Manager"

onClick="doSubmit('HeManager');" /></td>

<td align=center><input type="submit" value="She Manager"

onClick="doSubmit('SheManager');" /></td>

</tr>

<tr>

<td align=center><input type="submit" value="His Supervisor"

onClick="doSubmit('HisSupe');" /></a></td>

<td align=center><input type="submit" value="Her Supervisor"

onClick="doSubmit('HerSupe');" /></a></td>

</tr>

<tr>

<td align=center><input type="submit" value="His Teller 1"

onClick="doSubmit('HisTeller1');" /></a></td>

<td align=center><input type="submit" value="Her Teller 1"

onClick="doSubmit('HerTeller1');" /></a></td>

</tr>

<tr>

<td align=center><input type="submit" value="His Teller 2"

onClick="doSubmit('HisTeller2');" /></a></td>

<td align=center><input type="submit" value="Her Teller 2"

onClick="doSubmit('HerTeller2');" /></a></td>

</tr>

<tr>

<td align=center><input type="submit"

value="His Account Holder" onClick="doSubmit('HisAccHolder');" /></a>

</td>

<td align=center><input type="submit"

value="Her Account Holder" onClick="doSubmit('HerAccHolder');" /></a>

</td>

</tr>

</table>

</form>

</body>

</html>

———————————————————————

WebContent/WEB-INF/jsp/viewAccount.jsp

<%@ page session="true"%>

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>

<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>

<%@ taglib prefix='security'

uri='http://www.springframework.org/security/tags'%>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

<title>View Account</title>

</head>

<body>

<%@ include file="/WEB-INF/jsp/navigation.jsp"%>

<br />

<b>View Account Page</b>

<br />

<br /> Visible to employees and accountholder.

</body>

</html>

———————————————————————

WebContent/WEB-INF/jsp/viewAccountAdmin.jsp

<%@ page session="true"%>

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>

<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>

<%@ taglib prefix='security'

uri='http://www.springframework.org/security/tags'%>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

<title>View Account Admin Page</title>

</head>

<body>

<%@ include file="/WEB-INF/jsp/navigation.jsp"%>

<br />

<b>View Account Admin Page</b>

<br />

<br /> Visible only to employees

</body>

</html>

———————————————————————

WebContent/WEB-INF/jsp/viewEmployees.jsp

<%@ page session="true"%>

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>

<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>

<%@ taglib prefix='security'

uri='http://www.springframework.org/security/tags'%>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

<title>View Employees</title>

</head>

<body>

<%@ include file="/WEB-INF/jsp/navigation.jsp"%>

<br />

<b>View Employees</b>

<br />

<br /> Visible only to Manager

</body>

</html>

———————————————————————

WebContent/WEB-INF/jsp/navigation.jsp

"navcontainer">

28px;" border=1 bordercolor=#cccccc cellspacing=0 cellpadding=2 width=100%>right colspan=3>You are logged in as:

#0000ff; font-weight:bold">"principal.username"/>

</td>

</tr>

<tr>

<td align=center><a href="viewAccount.htm">Account Info</a></td>

<td align=center><a href="viewAccountAdmin.htm">Account Admin Info</a></td>

<td align=center><a href="viewEmployees.htm">Employees</a></td>

</tr>

</table>

</div>

———————————————————————

Use terminal to go the root of the project, and type:

ant deploy

This will deploy the web application to the tomcat server and available at http://localhost:8080/springacldemo

The error logs will be available at $CATALINA_HOME/logs/Catalina.out and $CATALINA_HOME/logs/localhost.yyyy-mm-dd.log

 

,
chanakya2's avatar

Posted by:

chanakya2

Leave a comment

About Me

Senior Software Engineer professional with over 16 years of success with multiple open source technologies and various Content Management platforms and solutions.

Proven technical abilities through numerous projects involving enterprise web application design and development, application installation, configuration and support, and workflow and collaboration system designs.

  • Ability to learn new technologies and platforms quickly and apply them to the task at hand.
  • Excellent analytical skills, and strong communication and collaboration abilities.
  • Technical emphasis in including but not limited to Java, Ruby on Rails, Documentum and Alfresco
    in both Linux and Windows based environments

Recent Posts

Newsletter