Review
In the previous section, we have implemented the Java classes and organized them accordingly: domain, repository, service, and controller. In this section, we will create the necessary configuration files, which are mainly XML files, and discuss them thoroughly.Table of Contents
Part 1: Introduction and Functional SpecsPart 2: Java classes
Part 3: XML configuration
Part 4: HTML Files
Part 5: Running the Application
Configuration
There are two important configuration files required to secure our application with Spring Security:- spring-security.xml (arbitrary name)
- web.xml
spring-security.xml
This contains the core Spring Security configuration.Let's examine further the contents of this file:
the http tag
This means the path /resources should be ignored by Spring Security; therefore it will not be secured. Why do you want to do this? Mainly because these are static images, CSS, and JavaScript files that don't need to be secured.
the second http tag
This contains the core security rules of our application. In previous versions of Spring Security, you're only allowed to have one http element.
- auto-config is a shorthand for the following (see more):
- use-expressions allows us to use SPEL (Spring EL expressions) support (see more)
intercept urls
Here we declare URL patterns to be protected. Notice the use of SPEL hasRole and permitAll (see more)
form login
This declares our login settings:
- login-page: the URL path of our login page
- authentication-failure-url: the URL where a user will be redirected after a failed login
- default-target-url: the URL where a user will be redirected after a successful login
denied handler
This declares the URL where a user will be redirected after a denied access.
authentication manager
This is similar with the login element.
- logout-success-url: the URL where a user will be redirected after a successful logout
- logout-url: the URL path of our logout page
- authentication-manager: registers an AuthenticationManager that provides authentication services (see more)
- authentication-provider: this is a shorthand for configuring a DaoAuthenticationProvider which loads user information from a UserDetailsService (see more)
- user-service-ref: this allows us to declare a custom UserDetailsService
- password-encoder: this allows us to declare various password encoders such as md5 and sha (see more)
web.xml
Besides the usual servlet declaration, the web.xml is where you declare the Spring Security filter and name of configuration file to read from.To enable Spring Security, follow these guidelines:
- Add a DelegatingFilterProxy
- Add a springSecurityFilterChain mapping
- Add a contextConfigLocation You must declare your applicationContext.xml and spring-security.xml here
Here's our complete web.xml file:
Datasource
Since we're using JPA and Spring Data JPA to simplify data access, we must also declare the corresponding configuration files. Please read the inline comments for more info.spring-data.xml
This contains all datasource-related configuration.
Next
In the next section, we will turn our attention towards the view layer which mainly consists of JSP files. Click here to proceed.
Share the joy:
|
Subscribe by reader Subscribe by email Share
Hi I have a question.
ReplyDeleteWhere is the applicationContext.xml file contents?
You can find it in the source code.
ReplyDeleteI am new to Spring security. Please explain
ReplyDeletewhat is "customUserDetailsService" in above code? how is it pointing to CustomUserDetailsService class?
Hi Anon,
ReplyDeletekrams have written
in his applicationContext.xml
That will load this("customUserDetailsService") service automatically.
:)
For more info you can read about autowiring in spring or simply serach for tag component-scan.
:)
/* Excuse me for my english */
ReplyDeleteFirst, I thank Mr. Krams for this very interesting tutorial. and i wonder if
someone can help me by posting an updated pom.xml for this project, in fact there is some problems in the "goldin" dependency.
thank you
evgeny-goldin.org
ReplyDeleteEvgeny Goldin Repository
http://evgenyg.artifactoryonline.com/evgenyg/plugins-releases-local
hi, thank you for the tutorial it was very helpful for me. Actually I am trying to implement the same concept on a PostgreSQL 9.1 database but I'm facing some difficulties to do that. I made the necessary changes related to the database class driver, POM file, persistence file and springd-data file. The web application launch correctly but when I try to log in I receive the following error:
ReplyDelete[ERROR] [tomcat-http--9 02:23:28] (JDBCExceptionReporter.java:logExceptions:234) ERREUR: la colonne user0_.id n'existe pas
Position: 8; I thing it related to the mapping between Hibernate and my JDBC postgresql driver,
how can I fic this, please?
Thanks
PLEASE stop spreading bad practices. DO NOT USE MD5 to hash passwords.
ReplyDeleteuse org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
can you tell me how to load customUserDetailsService in appication-context.xml file. I am getting error for the same.
ReplyDeleteCheck this answer, I am sure it will help you: http://forum.springsource.org/showthread.php?99923-Cannot-find-bean-when-implementing-UserDetailsService
DeleteWhen I try to add Filter like this
ReplyDeletespringSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
It prompts the following exception
>>>>>>>>>>>>>>>>>>>>>>
SEVERE: Exception starting filter springSecurityFilterChain
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' is defined
at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:529)
at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1095)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:277)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1097)
at org.springframework.web.filter.DelegatingFilterProxy.initDelegate(DelegatingFilterProxy.java:326)
at org.springframework.web.filter.DelegatingFilterProxy.initFilterBean(DelegatingFilterProxy.java:236)
at org.springframework.web.filter.GenericFilterBean.init(GenericFilterBean.java:194)
at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:277)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:258)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:382)
at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:103)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4650)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5306)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
<<<<<<<<<<<<<<<<<<<<
Where is the bean "springSecurityFilterChain" declared? I suggest you use http://pastebin.com/ when posting the code
DeleteThis comment has been removed by the author.
DeleteI was struggling with the same issue. My problem was that I was building the application on top of the default Spring MVC template and used provided web.xml file. Which is not bad thing to do of course. In this approach, servlet-context.xml is loaded via init-param of a servlet and I just left it there.
DeleteHowever, there are two things to realise:
a) The root context (ContextLoaderListener) cannot see beans in the child context (servlet).
b) Spring security config file has to be loaded BEFORE the application is started.
All errors which are mentioned here can be solved by loading those files in Root context (in the exact same way as it is done by Mark in the tutorial :) Like that:
http://pastebin.com/dLzD6cCf
Another short note: The only thing which is loaded in Marks tutorial in child (servlet) context is spring-servlet.xml. Where is only view resolver declaration.
DeleteHi
ReplyDeleteIf I want two separate login pages, one for users , and one for admins, what should I do?
how should I change spring-security.xml ?
I'm getting this error while deploying:
ReplyDeleteContext initialization failed: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'customUserDetailsService': Injection of autowired ependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire field: private my.anm.security.UserRepository my.anm.security.CustomUserDetailsService.userRepository; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [my.anm.security.UserRepository] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {@org.springframework.beans.factory.annotation.Autowired(required=true)}
Please help. Thanks
I have read your blog its very attractive and impressive. I like it your blog.
ReplyDeleteSpring online training Spring online training Spring Hibernate online training Spring Hibernate online training Java online training
spring training in chennai spring hibernate training in chennai
Great Article… I love to read your articles because your writing style is too good,
ReplyDeleteits is very very helpful for all of us and I never get bored while reading your article because,
they are becomes a more and more interesting from the starting lines until the end.
Java training in Chennai
Java training in Bangalore
Java online training
Java training in Pune
Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
ReplyDeleteweb portal development company in chennai
sem services in chennai
professional web design company in chennai
Awesome article, it was exceptionally helpful! I simply began in this and I'm becoming more acquainted with it better. The post is written in very a good manner and it contains much useful information for me. Thank you very much and I will look for more postings from you.
ReplyDeletedigital marketing blog
skartec's digital marketing blog
skartec digital marketing academy
skartec digital marketing
best seo service in chennai
best seo services in chennai
Effective blog with a lot of information. I just Shared you the link below for Courses .They really provide good level of training and Placement,I just Had Spring Classes in this institute,Just Check This Link You can get it more information about the Spring course.
ReplyDeleteJava training in chennai | Java training in annanagar | Java training in omr | Java training in porur | Java training in tambaram | Java training in velachery