Spring Security

Added by Ben Simpson, edited by Ben Simpson on Mar 04, 2011
You are viewing an old version (v. 37) of this page.
The latest version is v. 47, last edited on May 14, 2013 (view differences | )
<< View previous version | view page history | view next version >>

Spring Security 3 and ICEfaces 2

There are currently no attachments on this page.

About Spring Security

Spring Security 3 provides an API for configuring authentication and authorization. Authentication is possible against any number of repositories and databases. Authorization is applied at either the web resource level using Servlet Filters and/or at the business/service method level using aspects and annotations.

About This Tutorial

The purpose of this tutorial is to demonstrate how application developers can use both Spring Security 3 and ICEfaces 2 in the same application. Both technologies leverage the Servlet API so it is essential one understands how the various parts of the web.xml file are organized to accommodate both frameworks. Its also important to be mindful that Spring Security is highly configurable. The example below shows only one extension (Session Management). There are several others filters and configuration options your requirements may warrant.

Tutorial Use Case

The simple business case for this tutorial is a "product documentation" web application. Some of the documentation is publicly available and some of it requires authorization. To satisfy this requirement all content requiring authorization is accessible behind the spring intercept pattern "/secure/*"

Technologies/Libraries Used

This tutorial uses Spring Security 3.1, Spring 3, JSF 2 and ICEfaces 2. Additional libraries are needed to support these frameworks and have been noted in the tutorial's build.properties file.

Configuration Areas:

  1. [Configure Your Web.xml For Spring Security]
  2. [Configure Your applicationContext.xml For Spring Security]
  3. [Configure Your Web.xml For JSF]
  4. [Advanced: Configure Your Spring Security redirectStrategy]

Part 1: Configure Web.xml For Spring Security

The web.xml below contains parameters showing where the spring configuration is located, the Spring Security filter chain, and the context loader listener.

web.xml
 
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
		  http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         version="2.5">
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/applicationContext.xml
            /WEB-INF/applicationContext-security.xml
        </param-value>
    </context-param>
   <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
</web-app>

Part 2: Configure Your applicationContext.xml For Spring Security

In this step we configure Spring Security in the file applicationContext-security.xml.

applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <!--  key configuration here is an entry point to be used by security intercepts -->
    <http realm="Sample Realm" entry-point-ref="authenticationEntryPoint">

        <!-- any role that is used to protect a directory, can be multiples -->
        <intercept-url pattern='/secure/**' access='ROLE_READER' />

        <!-- enable form login to use UsernamePasswordAuthenticationFilter [/j_spring_security_check] -->
        <form-login login-page="/general/logins/htmlLogin.faces"  
                    authentication-failure-url="/general/logins/loginFailed.faces"/>

        <!-- logout page uses the default LogoutFilter, no changes are needed as IT accepts a GET call... -->
        <!-- here is an example logout link:
                <a href="#{request.contextPath}/j_spring_security_logout">Logout</a> -->
        <logout logout-url="/j_spring_security_logout"
                logout-success-url="/general/main.faces"
                invalidate-session="true"/>
    </http>

    <beans:bean id="authenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/general/logins/htmlLogin.faces" />
    </beans:bean>

    <!-- test with this before you hook up your LDAP or other Authentication Manager -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <user-service>
                <user name="joe.blow@icesoft.com" password="pass1234" authorities="ROLE_READER"/>
                <user name="ben.simpson@icesoft.com" password="pass5678" authorities="ROLE_READER"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

Part 3: Configure Web.xml For JSF

In this step we extend the web.xml to support JSF like we would any other ICEfaces application.

web.xml
 
...
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet>
        <servlet-name>Resource Servlet</servlet-name>
        <servlet-class>com.icesoft.faces.webapp.CompatResourceServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.faces</url-pattern>
    </servlet-mapping>

    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>/icefaces/*</url-pattern>
    </servlet-mapping>

    <servlet-mapping>
        <servlet-name>Resource Servlet</servlet-name>
        <url-pattern>/xmlhttp/*</url-pattern>
    </servlet-mapping>
...

Step 4: Configure Your Spring Security redirectStrategy

The example configuration below contains all of the previous security configurations and an added session management filter. When the session
expires the user should be routed to a session expired page. The additional configuration provided is required to help redirect ajax based events like
actionListeners attached to ice:commandButton tags.

applicationContext-security.xml
     
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <!--  key configuration here is an entry point to be used by security intercepts -->
    <http realm="Sample Realm" entry-point-ref="authenticationEntryPoint" auto-config="false">

        <custom-filter ref="sessionManagementFilter" before="SESSION_MANAGEMENT_FILTER" />
        <!-- any role that is used to protect a directory, can be multiples -->
        <intercept-url pattern='/secure/**' access='ROLE_READER' />

        <!-- enable form login to use UsernamePasswordAuthenticationFilter [/j_spring_security_check] -->
        <form-login login-page="/general/logins/htmlLogin.faces"  
                    authentication-failure-url="/general/logins/loginFailed.faces"/>

        <!-- logout page uses the default LogoutFilter, no changes are needed as IT accepts a GET call... -->
        <!-- here is an example logout link:
                <a href="#{request.contextPath}/j_spring_security_logout">Logout</a> -->
        <logout logout-url="/j_spring_security_logout"
                logout-success-url="/general/main.faces"
                invalidate-session="true"/>
    </http>

    <beans:bean id="authenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/general/logins/htmlLogin.faces" />
    </beans:bean>

    <!-- test with this before you hook up your LDAP or other Authentication Manager -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <user-service>
                <user name="joe.blow@icesoft.com" password="pass1234" authorities="ROLE_READER"/>
                <user name="ben.simpson@icesoft.com" password="pass5678" authorities="ROLE_READER"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
        <beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
        <beans:property name="invalidSessionUrl" value="/general/logins/sessionExpired.jsf" />
        <!-- this permits redirection to session timeout page from javascript/ajax or http -->
        <beans:property name="redirectStrategy" ref="jsfRedirectStrategy" />
    </beans:bean>

    <beans:bean id="jsfRedirectStrategy" class="com.icesoft.spring.security.JsfRedirectStrategy"/>
    <beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>

</beans:beans>

Resources

For more information on Spring Security, please check out the content below:

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

© Copyright 2017 ICEsoft Technologies Canada Corp.