Simple web application with Spring Security: Part 9

In this part we use the exception mappings feature of spring security to define the error pages. In this example we just force all the possible exceptions to go back to the login.jsp page and display the error message there.

To use exceptions mappings, we need to customize the AuthenticationProcessingFilter. As we have already done this in our previous parts in the series, the applicationContext-servlet.xml file would be edited to have the following:

<beans:bean id="customAuthenticationProcessingFilter"
        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
        <custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
        <beans:property name="defaultTargetUrl" value="/home.htm" />
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="authenticationFailureUrl" value="/login.jsp?authfailed=true" />
        <beans:property name="allowSessionCreation" value="true" />
        <beans:property name="serverSideRedirect" value="true" />
        <beans:property name="targetUrlResolver" ref="roleBasedTargetUrlResolver" />
        <beans:property name="exceptionMappings">
            <beans:props>
                <beans:prop
                    key="org.springframework.security.CredentialsExpiredException">
                    /login.jsp?newpassword=true
  </beans:prop>
                <beans:prop key="org.springframework.security.LockedException">
                    /login.jsp?acclocked=true
  </beans:prop>
                <beans:prop key="org.springframework.security.DisabledException">
                    /login.jsp?accdisabled=true
  </beans:prop>
            </beans:props>
        </beans:property>
</beans:bean>

update the login.jsp:

<%@ page session="true"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<html>

<head>
<title>Login: Spring Security Web Application</title>

<style TYPE="text/css">
.errormessage {
   color:red;
}

.successmessage {
}
</style>
</head>

<body onload='document.loginForm.j_username.focus();'>

<form id="loginForm" name="loginForm" action="j_spring_security_check" method="post">
<c:if test="${not empty param.authfailed}">
    <span id="infomessage" class="errormessage" >
    Login failed due to: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.
    </span>
</c:if>
<c:if test="${not empty param.authfailed}">
    <span id="infomessage" class="errormessage" >
    Login failed due to: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.
    </span>
</c:if>
<c:if test="${not empty param.newpassword}">
    <span id="infomessage" class="errormessage" >
    Login failed due to: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.
    </span>
</c:if>
<c:if test="${not empty param.acclocked}">
    <span id="infomessage" class="errormessage" >
    Login failed due to: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.
    </span>
</c:if>
<c:if test="${not empty param.accdisabled}">
    <span id="infomessage" class="errormessage" >
    Login failed due to: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.
    </span>
</c:if>
<c:if test="${not empty param.loggedout}">
    <span id="infomessage" class="successmessage">
    You have been successfully logged out.
    </span>
</c:if>
        <table>
          <tr><td>Username</td><td><input id="usernameField" type="text" name="j_username" value="<c:out value="${SPRING_SECURITY_LAST_USERNAME}"/>"/></td></tr>
          <tr><td>Password</td><td><input id="passwordField" type="password" name="j_password" /></td></tr>

          <tr><td colspan="2" align="right"><input type="submit" value="Login" /></td></tr>
        </table>
</form>

</body>

</html>

Note: All these failures going back to login.jsp did not require exception mappings but just shown it as a possible technique if you wished different failures to be taken to different display pages etc.

To verify we have created extra users in our applicationContext-security.xml to test the different scenarios:

<authentication-provider>
    <user-service id="userDetailsService">
	<user name="disabled" password="disabled" authorities="ROLE_USER" disabled="true" />
	<user name="locked" password="locked" authorities="ROLE_USER" locked="true"/>
	<user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN"/>
	<user name="username" password="password" authorities="ROLE_USER" />
	<user name="test" password="test" authorities="ROLE_USER" />
    </user-service>
</authentication-provider>

Note: For some reason there is no property for setting a user’s account to be expired in the same way as the disabled and locked methods. see http://forum.springframework.org/showthread.php?t=63875

Getting the code

The code for this part is tagged and available for viewing online at: http://code.google.com/p/spring-security-series/source/browse/#svn/tags/SpringSecuritySeriesWAR-Part9

SVN Url: https://spring-security-series.googlecode.com/svn/tags/SpringSecuritySeriesWAR-Part9

Advertisements

2 Responses to “Simple web application with Spring Security: Part 9”

  1. Siyamed Says:

    “As we have already done this in our previous parts in the series, the applicationContext-servlet.xml file would be edited to have the following”

    shall the file in here be

    applicationContext-servlet.xml

    ?

  2. John Says:

    I am getting the following error j_spring_security_check is not available.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: