Spring Security Xml

Spring Security XML Configuration

The Spring Security we can be implemented by two way :

1. Xml Based
2. Java Based

Lets see the example of Spring Security with xml based configuration in Spring Project :

Create a Dynamic Project in eclipse .

After selected click on next button then enter the name of your application or project like below :

Then click on finish button. After finish right click on your project and convert to Maven Project like below :

After doing this if you want to change you can change group id or artifact id but in my case I don’t want to change so I use same as below like this :

And then click on finish button.

Now we have to add some dependency in pom.xml file as below :
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>FirstSecurity</groupId> <artifactId>FirstSecurity</artifactId> <version>0.0.1-SNAPSHOT</version> <packaging>war</packaging> <build> <sourceDirectory>src</sourceDirectory> <plugins> <plugin> <artifactId>maven-compiler-plugin</artifactId> <version>3.5.1</version> <configuration> <source>1.8</source> <target>1.8</target> </configuration> </plugin> <plugin> <artifactId>maven-war-plugin</artifactId> <version>3.0.0</version> <configuration> <warSourceDirectory>WebContent</warSourceDirectory> </configuration> </plugin> </plugins> </build> <dependencies> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>5.2.2.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>5.2.2.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>5.2.2.RELEASE</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>5.2.2.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-crypto</artifactId> <version>5.2.2.RELEASE</version> </dependency> <dependency> <groupId>jstl</groupId> <artifactId>jstl</artifactId> <version>1.2</version> </dependency> </dependencies> </project>

After adding above dependency save it and make sure you are connected with a stable internet connection.

Now the final project structure is just like below :

Create a web.xml under the WEB-INF folder and below code :
<web-app> <servlet> <servlet-name>hello</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet </servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>hello</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener </listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/hello-security.xml </param-value> </context-param> </web-app>

As standard, we declare a Spring dispatcher servlet that handles all URLs coming to the application, and a Spring Web Context Loader Listener to loads Spring security configuration (in a Spring security configuration file named hello-security.xml file under /WEB-INF folder).

The DelegatingFilterProxy is a servlet filter that allows passing control to Filter classes that have access to the Spring application context. Spring Security relies on this technique heavily.

In web.xml we need to configure a filter named as DelegatingFilterProxy which looks for a Spring bean by the name of filter (for eg. springSecurityFilterChain) and delegates all works to that bean.

Create a file under the WEB-INF folder and name should be in my case hello-servlet.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation=" http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"> <mvc:annotation-driven /> <context:component-scan base-package="com.deepsingh44"> </context:component-scan> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix" value="/WEB-INF/views/"></property> <property name="suffix" value=".jsp"></property> </bean> </beans>

As you are familiar with Spring MVC, the element tells Spring to analyze annotations for loading configurations and controllers.

The element specifies which Java package to search for Spring components.

And an InternalResourceViewResolverbean is declared to tell Spring how to resolve logical view names to physical view pages.

Create a file under the WEB-INF folder and name should be like in my case hello-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <http auto-config="true"> <intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" /> <access-denied-handler error-page="/error" /> </http> <authentication-manager> <authentication-provider> <user-service> <user name="admin" password="{noop}admin" authorities="ROLE_ADMIN" /> </user-service> </authentication-provider> </authentication-manager> </beans:beans>

In spring-security-core:5.0.0.RC1, the default PasswordEncoder is built as a DelegatingPasswordEncoder. When you store the users in memory, you are providing the passwords in plain text and when trying to retrieve the encoder from the DelegatingPasswordEncoder to validate the password it can't find one that matches the way in which these passwords were stored. You can also simply prefix {noop} to your passwords in order for the DelegatingPasswordEncoder use the NoOpPasswordEncoder to validate these passwords. Notice that NoOpPasswordEncoder is deprecated though, as it is not a good practice to store passwords in plain text. Here, there are two elements are used for authentication and authorization:

In the element, we declare which URL pattern will be intercepted by Spring security filter, using the element. As per this configuration, all the URL patterns /admin are secured, and only the users having role ROLE_ADMIN can be authorized to access these URLs. In this you can also add multiple urls.

The element declares a user with username, password and role (ROLE_ADMIN per this configuration). This user can be authenticated to access the application.

When we use element, Spring Security creates FilterChainProxy bean with bean name springSecurityFilterChain. The configuration within element is used to build a filter chain within FilterChainProxy. We can use more elements to add extra filter chains. All the filters which require a reference to AuthenticationManager will be automatically injected. Each namespace block creates a SecurityContextPersistenceFilter, an ExceptionTranslationFilter and a FilterSecurityInterceptor and they can not be replaced with alternatives.

Create a controller in controller package and name is MyController.java

package com.deepsingh44.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class MyController {

@GetMapping("/")
public String welcome() {
return "welcome";
}

@GetMapping("/admin")
public ModelAndView home() {
ModelAndView model = new ModelAndView("home");
model.addObject("message", "Spring Security.");
return model;
}

@GetMapping("/error")
public String error() {
return "error";
}

}

Create a welcome.jsp file under the WEB-INF/views folder.
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Insert title here</title> </head> <body> <h3>Welcome to Guest Profile</h3> <a href="admin"> Go To Admin Page </a> </body> </html> Create a error.jsp file under the WEB-INF/views folder
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Insert title here</title> </head> <body> <h3>This is error page</h3> </body> </html> Create home.jsp under the WEB-INF/views folder.
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> <body> <div align="center"> <h2>${message}</h2> <c:if test="${pageContext.request.userPrincipal.name != null}"> <h2>Welcome : ${pageContext.request.userPrincipal.name}</h2> <h1>OR</h1> <h2>Welcome : ${pageContext.request.remoteUser}</h2> <p> <a href="<c:url value="/logout" />">Logout</a> </p> </c:if> </div> </body>

The getUserPrincipal() method returns an object of some class derived from the Principal interface, which is an abstraction of the entity that is the "user" responsible for the request. From it you get an actual object that, depending on the implementing class, you can use to get all sorts of information about that user/identity. One of those properties is the string-representation of the name of the user/identity, which you obtain by calling getName().

getRemoteUser() is really just a shortcut to getting that string-representation. You don't have access to any other methods implemented by the implementing class, not do you have access to the object itself, just the string-representation of the name.

Output is :