Simple web application with Spring Security: Part 15

Change from configuration to lookup of backend for login authentication

add dataAccessContext.xml to our context (dataSource + dataSourcePopulator for example application)
modify applicationContext-security.xml to use jdbc-user-service configuration

[
dataSource,
dataSourcePopulator,
_authenticationManager,
_filterChainProxy,
_httpSessionContextIntegrationFilter,
_filterChainProxyPostProcessor,
_filterChainList,
_securityContextHolderAwareRequestFilter,
_accessManager,
_portMapper,
_exceptionTranslationFilter,
_filterSecurityInterceptor,
_formLoginFilter,
_formLoginEntryPoint,
_entryPointInjectionBeanPostProcessor,
_userServiceInjectionPostProcessor,
org.springframework.security.providers.dao.DaoAuthenticationProvider#0,
org.springframework.security.userdetails.jdbc.JdbcUserDetailsManager#0,
org.springframework.security.config.AuthenticationProviderBeanDefinitionParser$AuthenticationProviderCacheResolver#0
];

No surprises with regard the list of beans instantiated

Turning auto-config property of http to true

Change applicationContext-security.xml:

<http auto-config="true" session-fixation-protection="none">
		<form-login login-page="/login.jsp" default-target-url="/home.htm"
                            authentication-failure-url="/login.jsp?authfailed=true" />
</http>

This ends up creating more beans to handle anonymousAuth, basicAuth, rememberMe and logout services
[
dataSource,
dataSourcePopulator,
_authenticationManager,
_filterChainProxy,
_httpSessionContextIntegrationFilter,
_filterChainProxyPostProcessor,
_filterChainList,
_securityContextHolderAwareRequestFilter,
_accessManager,
_portMapper,
_exceptionTranslationFilter,
_filterSecurityInterceptor,

_anonymousAuthenticationProvider,
_anonymousProcessingFilter,
_rememberMeServices,
_rememberMeAuthenticationProvider,
_rememberMeFilter,
_rememberMeServicesInjectionBeanPostProcessor,
_logoutFilter,
_basicAuthenticationEntryPoint,
_basicAuthenticationFilter,

_formLoginFilter,
_formLoginEntryPoint,
_entryPointInjectionBeanPostProcessor,
_userServiceInjectionPostProcessor,org.springframework.security.providers.dao.DaoAuthenticationProvider#0,
org.springframework.security.userdetails.jdbc.JdbcUserDetailsManager#0,
org.springframework.security.config.AuthenticationProviderBeanDefinitionParser$AuthenticationProviderCacheResolver#0]

FilterChain looks like:

[
org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ],
org.springframework.security.ui.logout.LogoutFilter[ order=300; ],
org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ], org.springframework.security.ui.basicauth.BasicProcessingFilter[ order=1000; ],
org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ],
org.springframework.security.ui.rememberme.RememberMeProcessingFilter[ order=1200; ],
org.springframework.security.providers.anonymous.AnonymousProcessingFilter[ order=1300; ],
org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ],
org.springframework.security.intercept.web.FilterSecurityInterceptor@1e493eb]}]

Investigate by following http request through new filters so see what there responsibilities are and what it takes to get their supported functionality working.

logout filter -> basically checks if URI ends with /j_spring_security_logout in which case, invalidates the session, and redirects user to targetUrl… to get working out of box just need to make logout href=’/j_spring_security_logout’

basicProcessingFilter -> handles BasicAuth and stores authentication in security context

RememberMeProcessingFilter -> checks to see if your not already authenticated, do you have a cookie for remember me services, if you do, its authenticates you and if successful stores on security context.

AnonymousProcessingFilter -> Creates an authenticate object with authorities of ROLE_ANONYMOUS. Can be useful if you wish to guarantee each visitor has authentication object and if you want to deal with people in ROLE_ANONYMOUS in specific way.

Configuring http element

Of the filters that are automatically created when using auto-config=true, we don’t want to use the BasicProcessingFilter (BasicAuth) or the RememberMeProcessingFilter (remember me functionality using cookies etc). So we change configuration back to false and specify the logout and anonymous functionality explicitly.

<http auto-config="false" session-fixation-protection="none">
	<form-login login-page="/login.jsp" default-target-url="/home.htm"
                      authentication-failure-url="/login.jsp?authfailed=true" />
	<anonymous />
	<logout logout-success-url="/login.jsp?loggedout=true"/>
</http>

results in the following beans:
[
dataSource,
dataSourcePopulator,
_authenticationManager,
_filterChainProxy,
_httpSessionContextIntegrationFilter,
_filterChainProxyPostProcessor,
_filterChainList,
_securityContextHolderAwareRequestFilter,
_accessManager,
_portMapper,
_exceptionTranslationFilter,
_filterSecurityInterceptor,
_anonymousAuthenticationProvider,
_anonymousProcessingFilter,
_logoutFilter,
_formLoginFilter,
_formLoginEntryPoint,
_entryPointInjectionBeanPostProcessor,
_userServiceInjectionPostProcessor,org.springframework.security.providers.dao.DaoAuthenticationProvider#0,
org.springframework.security.userdetails.jdbc.JdbcUserDetailsManager#0,
org.springframework.security.config.AuthenticationProviderBeanDefinitionParser$AuthenticationProviderCacheResolver#0
]

results in the following filter order:
org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ],
org.springframework.security.ui.logout.LogoutFilter[ order=300; ],
org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ],
org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ],
org.springframework.security.providers.anonymous.AnonymousProcessingFilter[ order=1300; ],
org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ],
org.springframework.security.intercept.web.FilterSecurityInterceptor@156f423

Adding URI Interception

<http auto-config="false" session-fixation-protection="none">
    <intercept-url pattern="/home.htm" access="ROLE_USER" />
    <intercept-url pattern="/admin.htm" access="ROLE_ADMIN" />
    <intercept-url pattern="/acldemo.htm" access="ROLE_ADMIN" />
    <intercept-url pattern="/**" access="ROLE_ANONYMOUS"/>
    <form-login login-page="/login.jsp" default-target-url="/home.htm" authentication-failure-url="/login.jsp?authfailed=true" />
    <anonymous />
    <logout logout-success-url="/login.jsp?loggedout=true"/>
</http>

No extra beans are created or filters used.

We have specified that users accessing any resource on the web site should at least be in the the role ROLE_ANONYMOUS (which is done for us by the AnonymousProcessingFilter). We then explicitly specify what roles a user needs to be in to reach some of the pages we have created.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: