Spring Security
Make the following changes to the Spring and Hibernate application we created in the previous step:
1. Add the following dependencies:
- org.springframework.security:spring-security-taglibs:5.0.1.RELEASE
- org.springframework.security:spring-security-config:5.0.1.RELEASE
2. Add the following to web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The DelegatingFilterProxy is the entry point of Spring Security, which utilizes a number of handler interceptors (Spring's equivalent of servlet filters) and method interceptors configured in applicationContext.xml to implement security. Note that the URL pattern /* ensures that all requests will pass through Spring Security.
3. Add the security namespace to applicationContext.xml so the beginning of the file looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
And then add the following to applicationContext.xml:
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/users.html" access="hasRole('ROLE_ADMIN')" />
</security:http>
Authentication is done using the users and authorities table we created in the Hibernate step. Here we simply let <jdbc-user-service> reference the data source and Spring Security will take care of the rest. The <http> element sets up a number of Spring Security filters for a web application environment, and <intercept-url> can be used to control access to certain URL patterns based on the roles of a user. And this is it. Your web application now have some basic security measures in place.
|