Getting Started With Spring Security 3.1 PDF

Getting Started with Spring
Security 3.1
Rob Winch, Sr Software Engineer, Spring Security
Lead
@rob_winch
!1 Spring"ne G#. $%% right& re&er'ed. (o not di&tribute without per)i&&ion.
About Me
* Spring Security Lead at Spring Source + ,-ware
* 1./ year& web e0perience
* 1!/ year& of 1a'a e0perience
* 2re'iou& E)p%oy)ent
3ea%th 4are Security at 4erner 56 year&7
Grid 4o)puting at $rgonne 8ationa% Lab& 51 year7
2roteo)ic& Re&earch at Loyo%a 9ni'er&ity 4hicago 51 year7
Started profe&&iona% career a& 2ERL contractor in 3igh Schoo%
Agenda
* What i& Spring Security
* Setting up Spring Security
* 3ow the ba&ic Spring Security f%ow wor:&
* Si)p%e cu&to)i;ation& of Spring Security
Log <n 2age
4u&to) Log <n 4ontro%%er
* G%oba% -ethod Security
* =>$
3
Tell me about Spring Security
* ?or)er%y :nown a& $cegi Security
* $uthentication
(ataba&e, L($2, 4$S, "pen<(, 2re@$uthentication, cu&to), etc

* $uthori;ation
9RL ba&ed, -ethod Aa&ed 5$"27
* E0ten&ion&
* Si)p%e yet powerfu%
B
Java Servlet Filter Review - Dispatcher
.
web.0)%
<filter>
<filter-name>filter1</filter-name>
<filter-class>Filter1</filter-class>
</filter>
<filter-mapping>
<url-pattern>/*</url-pattern>
</filter-mapping>
C
?i%ter1.Da'a
public void doFilter(ServletRequest request,
ServletResponse response, FilterCain filterCain! " #
"
// do someting $efore
S%stem&out&println('> ' ( request)rl!*
// run rest of application
filterCain&doFilter(request, response!*
// cleanup
S%stem&out&println('< ' ( request)rl!*
+
"
// do someting $efore
S%stem&out&println('> ' ( request)rl!*
// cleanup
S%stem&out&println('< ' ( request)rl!*
+
6
GEE +ho)e
HTT Re!uest rocessing STD"#T
F
Filter1.doFilter(request, response, filterChain)
GEE +ho)e
G
?i%ter1
HTT
H +ho)e
Re!uest rocessing STD"#T
GEE +ho)e
1!
?i%ter1
String url , '/-./-01F/ome&2sp'*
request
&getRequest3ispatcer(url!
&for4ard(request, response!*
HTT
H +ho)e
filterCain&doFilter(request,response!*
GEE +ho)e
11
?i%ter1
request
HTT
H +ho)e
ho)e.D&p
GEE +ho)e
1
?i%ter1
request
HTT
H +ho)e
ho)e.D&p
"I
GEE +ho)e
13
?i%ter1
request
HTT
H +ho)e
ho)e.D&p
GEE +ho)e
"I
1B
?i%ter1
request
HTT
H +ho)e
ho)e.D&p
J +ho)e
GEE +ho)e
"I
1.
web.0)%
<filter>
</filter>
<filter-mapping>
<dispatcer>R.5).S6</dispatcer>
<dispatcer>F7R-8R3</dispatcer>
</filter-mapping>
<filter>
</filter>
<filter-mapping>
<dispatcer>R.5).S6</dispatcer>
<dispatcer>F7R-8R3</dispatcer>
</filter-mapping>
1C
GEE +ho)e
16
?i%ter1
HTT
H +ho)e
GEE +ho)e
1F
?i%ter1
request&getRequest3ispatcer('/ome&2sp'!
HTT
H +ho)e
GEE +ho)e
1G
?i%ter1
HTT
H +ho)e
?i%ter1 H +ho)e.D&p
GEE +ho)e
!
?i%ter1
HTT
H +ho)e
ho)e.D&p
"I
?i%ter1 H +ho)e.D&p
GEE +ho)e
1
?i%ter1
HTT
H +ho)e
ho)e.D&p
?i%ter1 H +ho)e.D&p
GEE +ho)e
"I
?i%ter1
HTT
H +ho)e
ho)e.D&p
?i%ter1 H +ho)e.D&p
J +ho)e.D&p
GEE +ho)e
"I
3
?i%ter1
HTT
H +ho)e
ho)e.D&p
"I
?i%ter1 H +ho)e.D&p
J +ho)e.D&p
GEE +ho)e
B
?i%ter1
HTT
H +ho)e
ho)e.D&p
"I
?i%ter1 H +ho)e.D&p
J +ho)e.D&p
J +ho)e
GEE +ho)e
* Spring Security i& ba&ed on Ser'%et ?i%ter&
* Rare to proce&& other di&patcher type&, but i)portant to be aware of the)
* En&ure to inc%ude the nece&&ary di&patcher e%e)ent&
* "ther po&&ib%e di&patcher 'a%ue& inc%ude
RE=9ESE 5defau%t7
<84L9(E
?"RW$R(
ERR"R
.
Java Servlet Filter Review - Filter$hain
C


+


+
6

securit%Filter&doFilter(request, response, filter4hain7K

+


+
F

servlet&service(request, response!*

+


+
G
try #
+
catch (Securit%.9ception e! #
// andle error $% sending to login page
+
finally #
// cleanup
+
+
try #
+
catch (Securit%.9ception e! #
// andle error $% sending to login page
+
finally #
// cleanup
+
+
Demo Messages Application
3!
Setting up Spring Security
31
%asic Spring Security Setup
* $dd Spring Security (ependencie&
* 9pdate web.0)%
* 4reate Spring Security 4onfiguration
3
Speci&ying Dependencies with Maven
33
<dependencies>
&&&
<dependenc%>
<group0d>org&springframe4or:&securit%</group0d>
<artifact0d>spring-securit%-core</artifact0d>
<version>;&1&;&R.<.8S.</version>
</dependenc%>
<dependenc%>
<artifact0d>spring-securit%-4e$</artifact0d>
</dependenc%>
<dependenc%>
<artifact0d>spring-securit%-config</artifact0d>
</dependenc%>
</dependencies>
<dependencies>
&&&
<dependenc%>
<artifact0d>spring-securit%-core</artifact0d>
</dependenc%>
<dependenc%>
<artifact0d>spring-securit%-4e$</artifact0d>
</dependenc%>
<dependenc%>
<artifact0d>spring-securit%-config</artifact0d>
</dependenc%>
</dependencies>
Speci&ying Dependencies with 'radle
3B
dependencies #
compile 'org&springframe4or:=spring-conte9t=>spring?ersion',
&&&
'org&springframe4or:&securit%=spring-securit%-4e$=;&1&;&R.<.8S.',
'org&springframe4or:&securit%=spring-securit%-config=;&1&;&R.<.8S.',
'org&springframe4or:&securit%=spring-securit%-core=;&1&;&R.<.8S.'
+
dependencies #
compile 'org&springframe4or:=spring-conte9t=>spring?ersion',
&&&
'org&springframe4or:&securit%=spring-securit%-4e$=;&1&;&R.<.8S.',
'org&springframe4or:&securit%=spring-securit%-config=;&1&;&R.<.8S.',
'org&springframe4or:&securit%=spring-securit%-core=;&1&;&R.<.8S.'
+
#pdate web()ml - $onte)t*oader*istener
3.
<conte9t-param>
<param-name>conte9tConfig<ocation</param-name>
<param-value>
/-./-01F/spring/*&9ml
</param-value>
</conte9t-param>
<listener>
<listener-class>
org&springframe4or:&4e$&conte9t&Conte9t<oader<istener
</listener-class>
</listener>
<conte9t-param>
<param-value>
/-./-01F/spring/*&9ml
</param-value>
</conte9t-param>
<listener>
<listener-class>
org&springframe4or:&4e$&conte9t&Conte9t<oader<istener
</listener-class>
</listener>
web.0)%
+hat is the $onte)t*oader*istener
3C
* 8ot Specific to Spring Security
* 4reate& a Spring $pp%ication4onte0t u&ing the Spring 4onfiguration& 5i.e. the
'a%ue of conte0t4onfigLocation7
* 4an be u&ed to %oo:up obDect& in $pp%ication4onte0t
* Rare to interact with $pp%ication4onte0t direct%y
$onte)t*oader*istener pseudocode
36
// init 8pplicationConte9t
@ml-e$8pplicationConte9t applicationConte9t ,
new @ml-e$8pplicationConte9t(!*
applicationConte9t&setConfig<ocation('/-./-01F/spring/*&9ml'!*
applicationConte9t&refres(!*
// )se 8pplicationConte9t
Filter filter ,
applicationConte9t&get/ean('springSecurit%FilterCain',
Filter&class!*
Filter filter ,
Filter&class!*
3F
Filter filter ,
Filter&class!*
Filter filter ,
Filter&class!*
<conte9t-param>
<param-value>
/WEB-INF/spring/*.!l
</param-value>
</conte9t-param>
<conte9t-param>
<param-value>
/WEB-INF/spring/*.!l
</param-value>
</conte9t-param>
"/WEB-INF/spring/*.!l"
"/WEB-INF/spring/*.!l"
3G
Filter filter ,
Filter&class!*
Filter filter ,
Filter&class!*
#pdate web()ml - springSecurityFilter$hain
B!
web.0)%
<filter>
<filter-name>springSecurit%FilterCain</filter-name>
<filter-class>
org&springframe4or:&4e$&filter&3elegatingFilterAro9%
</filter-class>
</filter>
<filter-mapping>
</filter-mapping>
<filter>
<filter-class>
org&springframe4or:&4e$&filter&3elegatingFilterAro9%
</filter-class>
</filter>
<filter-mapping>
</filter-mapping>
DelegatingFilterro)y pseudocode
B1
public class 3elegatingFilterAro9% i!ple!ents Filter #
public void init(FilterConfig config! throws Servlet.9ception #
// applicationConte9t is o$tained from Conte9t<oader<istener
this&delegate ,
Filter&class!*
+
public void doFilter(&&&! throws &&& #
this&delegate&doFilter(request, response, filterCain!*
+
public void destro%(! #
// tis ma% not $e invo:ed depending on te settings
this&delegate&destro%(!*
+
private Filter delegate*
+
this&delegate ,
Filter&class!*
+
+
+
+
B
this&delegate ,
Filter&class!*
+
+
+
+
this&delegate ,
Filter&class!*
+
+
+
+
spring#ecurityFilter$hain
spring#ecurityFilter$hain
<filter-mapping>
<filter-name>spring#ecurityFilter$hain</filter-name>
</filter-mapping>
<filter-mapping>
<filter-name>spring#ecurityFilter$hain</filter-name>
</filter-mapping>
B3
this&delegate ,
Filter&class!*
+
+
+
+
this&delegate ,
Filter&class!*
+
+
+
+
$reate security()ml
* Ehe fi%e %ocation &hou%d be &rc+)ain+webapp+WEA@<8?+&pring+&ecurity.0)% to
)atch the conte0t4onfigLocation
* 8eed to en&ure to get the 0)% na)e&pace dec%aration correct
* Spring Eoo% Suite 5SES7 can he%p with adding na)e&pace dec%oaration&
BB
$reate security()ml with Spring Tool Suite
* <n SES right c%ic: src/main/webapp/WEB!"F/sprin#/
* ,ew L Spring %ean $on&iguration File
* Enter securit$.%ml a& the fi%e na)e
* 4%ic: ,e)t
* Se%ect Security
* 4%ic: Finish
B.
src-main-webapp-+.%-/,F-security()ml
BC
$dd the fo%%owing between the <$eans> tag&
<securit%=ttp use-e9pressions,"true">
<securit%=intercept-url pattern,"/**"
access,"hasRole('ROLE_USER')"/>
<securit%=form-login />
</securit%=ttp>
<securit%=autentication-manager>
<securit%=autentication-provider>
<securit%=user-service>
<securit%=user name,"user"
pass4ord,"password"
autorities,"ROLE_USER"/>
</securit%=user-service>
</securit%=autentication-provider>
</securit%=autentication-manager>
<securit%=form-login />
</securit%=ttp>
<securit%=autentication-manager>
<securit%=autentication-provider>
<securit%=user-service>
<securit%=user name,"user"
pass4ord,"password"
autorities,"ROLE_USER"/>
</securit%=user-service>
</securit%=autentication-provider>
</securit%=autentication-manager>
Demo %asic Spring Security
B6
Filter$hainro)y 0springSecurityFilter$hain1 seudocode
BF
FilterBC delegates , loo:up3elegates(request!*
for(Filter delegate = delegates! #
delegate&doFilter(request, response, cain!*
if(delegate does not invo:e filterCain&doFilter!
return*
+
+

FilterBC delegates , loo:up3elegates(request!*
for(Filter delegate = delegates! #
delegate&doFilter(request, response, cain!*
if(delegate does not invo:e filterCain&doFilter!
return*
+
+

#nauthenticated Re!uest to rotected Resource
BG
GEE +)e&&age&+
HTT Re!uest rocessing
.!
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
.1
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
.
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
try %
filterCain&doFilter(&&&!*
&catch(8ccess3enied.9ception e!#

+
.3
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
.B
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
<securit%=ttp auto-config,"true"
use-e9pressions,"true">
&&&
&&&
(oe&
+ )atch -22
..
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
&&&
&&&
Me&, &o the current
u&er )u&t ha'e
R"*.3#S.R
.C
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
&&&
&&&
8ot %ogged in
&o throw
$cce&&(enied
E0ception
.6
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
.F
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
catch(8ccess3enied.9ception e!#
// save D66A request 4it RequestCace
// send to log in page 4/
// 8utentication.ntr%Aoint
+
.G
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
+
3!
+&pring_&ecurity_%ogin
Ant atterns
C!
* =uery para)eter& are not inc%uded in the )atch
* Ehe conte0t path i& not inc%uded in the )atch
* N )atche& one character
* O )atche& ;ero or )ore character& 5not a directory de%i)iter i.e. +7
* OO )atche& ;ero or )ore Pdirectorie&P in a path
Spring Security u&e& an $nt2athReQue&t-atcher to deter)ine if a 9RL
)atche& the current 9RL. Ehe fo%%owing ru%e& are u&ed when )atchingR
Ant atterns - .)amples
C1
$nt 2attern e0a)p%e& that a&&u)e a conte0t path of +)e&&age&
2attern (e&cription ?u%% 2ath 2ath to -atch
+OO -atche& any 9RL
+O -atche& anything
in root fo%der
+)e&&age&+1 -4
+)e&&age&+NaSb -5
+)e&&age&+1+ -4-
C
$nt 2attern e0a)p%e& that a&&u)e a conte0t path of +)e&&age&
+1+OO -atche& anything
that &tart& with +1
+)e&&age&+1 -4
+)e&&age&+1NaSb -4
+)e&&age&+1+ -4-
+)e&&age&+1+'iew -4-view
+)e&&age&+other+ -other-
+)e&&age&++'iew -5-view
C3
Ae carefu% when u&ing pattern )atching
+OO+O.c&& -atche&
anything that
end& with
.c&&
+)e&&age&+&ty%e&+)ain.c&& -styles-main(css
+)e&&age&+1 -4
+)e&&age&+1.c&& -4(css
Ant atterns
CB
* Ehe %e&& re&tricti'e the )apping the ea&ier it i& for a )a%iciou& u&er to bypa&&
* Spring -,4 wi%% treat +1.c&& the &a)e a& +1, &o a )a%iciou& u&er can u&e thi&
to bypa&& &ecurity con&traint&
* "ther way& to bypa&& 9RL ba&ed &ecurity 5i.e. path 'ariab%e&, non@nor)a%i;ed
9RL&, etc7. Spring Security doe& ha'e thing& in p%ace to he%p protect you 5i.e.
3ttp?irewa%%7
* Ae&t to co)bine 9RL Security with -ethod Security to pro'ide defen&e in
depth
Re!uesting log in page
C.
GEE
+)e&&age&+&pring_&ecurity_%ogin
CC
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
GEE
C6
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
(efau%tLogin2age
Generating?i%ter
GEE
CF
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
(efau%tLogin2age
Generating?i%ter
GEE
CG
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
(efau%tLogin2age
Generating?i%ter
GEE
Generate a %og in page
for reQue&t& to
+&pring_&ecurity_%ogin
6!
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
(efau%tLogin2age
Generating?i%ter
GEE
!!
Log <n 2age
Authenticating via username 6 password
61
2"SE
+)e&&age&+D_&pring_&ecurity_chec:
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r
6
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Security4onte0t
2er&i&tence?i%ter
2"SE
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r
63
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Security4onte0t
2er&i&tence?i%ter
2"SE
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r
3ttpSe&&ion
no $uthentication
6B
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
2"SE
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r
9&erna)e2a&&word
$uthentication?i%ter
6.
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
2"SE
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r
9&erna)e2a&&word
$uthentication
-anager
u&er+&ecret
6C
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
2"SE
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r
9&erna)e2a&&word
$uthentication
-anager
u&er+&ecret
u&er
66
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
2"SE
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r
9&erna)e2a&&word
$uthentication
-anager
u&er+&ecret
u&er
6F
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
2"SE
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r
9&erna)e2a&&word
u&er
6G
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
2"SE
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r
9&erna)e2a&&word
u&er
3!
Sa'ed ReQue&t
F!
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
2"SE
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r Security4onte0t
2er&i&tence?i%ter
u&er
Security4onte0t
wa& updated
&a'e to 3ttpSe&&ion
F1
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
2"SE
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r Security4onte0t
2er&i&tence?i%ter
u&er
F
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
2"SE
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r Security4onte0t
2er&i&tence?i%ter
u&er
F3
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
2"SE
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r Security4onte0t
2er&i&tence?i%ter
u&er
FB
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
2"SE
D_u&erna)eSu&er
D_pa&&wordS&ecurity
3ttpSe&&ion
Security
4onte0t3o%de
r Security4onte0t
2er&i&tence?i%ter
u&er
Re!uesting rotected Resource while Authenticated
F.
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r
u&er
FC
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r
u&er
F6
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r Security4onte0t
2er&i&tence?i%ter
u&er
FF
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r Security4onte0t
2er&i&tence?i%ter
u&er
9pdate
Security4onte0t
3o%der
FG
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r Security4onte0t
2er&i&tence?i%ter
u&er
u&er
G!
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r Security4onte0t
2er&i&tence?i%ter
u&er
u&er
G1
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r Security4onte0t
2er&i&tence?i%ter
u&er
u&er
G
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r Security4onte0t
2er&i&tence?i%ter
u&er
u&er
G3
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r
ReQue&t4ache
$ware?i%ter
u&er
u&er
fi%ter4hain.do?i%ter5&a'edReQue&t, re&pon&e7
GB
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r
Security?i%ter
<nterceptor
u&er
u&er
G.
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r
Security?i%ter
<nterceptor
u&er
u&er
4urrent u&er ha&
R"LE_9SER
Grant $cce&&
GC
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r
Security?i%ter
<nterceptor
u&er
u&er
G6
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r
Security4onte0t
2er&i&tence?i%ter
u&er
u&er
Security4onte0t
ha& not changedK no
update to &e&&ion
GF
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r
Security4onte0t
2er&i&tence?i%ter
u&er
u&er
4%ear
Security4onte0t3o%der
GG
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r
Security4onte0t
2er&i&tence?i%ter
u&er
1!!
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
Sa'ed ReQue&t
3ttpSe&&ion
Security
4onte0t3o%de
r
Security4onte0t
2er&i&tence?i%ter
u&er
Spring Security Filters
* Each ?i%ter ha& a &pecific ta&:
* Each ?i%ter act& a& a contro%%er
* Logic in ?i%terP& can be i)p%e)ented in a contro%%er of the fra)ewor: of your
choice
1!1
$ustom *og /n age
1!
1!3
'security(for!-login login-page)"/login"
authentication-failure-url="/login?error"/>
</securit%=ttp>
'security(for!-login login-page)"/login"
authentication-failure-url="/login?error"/>
</securit%=ttp>
1!B
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
1!.
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
1!C
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
try %

+
1!6
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
1!F
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
&&&
&&&
(oe&
+ )atch -22
1!G
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
&&&
&&&
Me&, &o the current
u&er )u&t ha'e
R"*.3#S.R
11!
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
&&&
&&&
8ot %ogged in
&o throw
$cce&&(enied
E0ception
111
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
11
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
+
113
(e%egating
?i%ter2ro0y
GEE +)e&&age&+
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
+
3!
+%ogin
11B
GEE +)e&&age&+%ogin
11.
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
GEE +)e&&age&+%ogin
11C
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE +)e&&age&+%ogin
116
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
try %

+
GEE +)e&&age&+%ogin
11F
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
GEE +)e&&age&+%ogin
11G
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
&&&
&&&
(oe&
+%ogin )atch -22
GEE +)e&&age&+%ogin
1!
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
&&&
&&&
Me&, &o the current
u&er )u&t ha'e
R"*.3#S.R
GEE +)e&&age&+%ogin
11
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
&&&
&&&
8ot %ogged in
&o throw
$cce&&(enied
E0ception
GEE +)e&&age&+%ogin
1
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
GEE +)e&&age&+%ogin
13
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
+
GEE +)e&&age&+%ogin
1B
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
Security
?i%ter<nterceptor
+
3!
+%ogin
GEE +)e&&age&+%ogin
1.
'security(intercept-url pattern)"/login"
access)"permitAll"/*
<securit%=form-login login-page,"/login"
authentication-ailure-url!"/login"error"/#
</securit%=ttp>
src-main-webapp-+.%-/,F-views-login(7sp)
1C
<c=url value,"/_!pring_!ecurit"_chec#" var,"loginUrl"/>
<form action,">#login)rl+" metod,"po!t">
<c=if test,">#param&error E, null+">
<div class,"alert alert-error">
Failed to login&
<c=if test,">#SAR01FGS.C)R06HG<8S6G.@C.A6071 E, null+">
Reason= <c=out value,">#SAR01FGS.C)R06HG<8S6G.@C.A6071&message+" />
</c=if>
</div>
</c=if>
<la$el for,"userna$e">)sername</la$el>
<input t%pe,"te%t" id,"userna$e" name,"_u!ername"/>
<la$el for,"password">Aass4ord</la$el>
<input t%pe,"password" id,"password" name,"_pa!!$or%"/>
<div class,"or$-actions">
<input id,"su&$it" class,"&tn" name,"su&$it" t%pe,"su&$it" value,"Login"/>
</div>
</form>
Multiple 8http9 Support
16
1F
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
GEE
+)e&&age&+re&ource&+)ain.c&&
1G
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE
?i%ter
4hain2ro0y
<securit%=ttp securit%,"none"
pattern!"/resources/**"/#
&&&
&&&
13!
Re!uest rocessing
(oe&
+re&ource&+)ain.c&&
)atch -resources-22
HTT
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE
?i%ter
4hain2ro0y
&&&
&&&
pattern,"/re!ource!/**"
131
Re!uest rocessing
Me&, &o &ecurity
i& di&ab%ed
HTT
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE
?i%ter
4hain2ro0y
&&&
&&&
13
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
GEE
133
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
GEE +)e&&age&+
13B
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE +)e&&age&+
?i%ter
4hain2ro0y
&&&
&&&
13.
Re!uest rocessing
(oe&
+ )atch
-resources-22
HTT
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE +)e&&age&+
?i%ter
4hain2ro0y
&&&
&&&
13C
Re!uest rocessing
8o, &o ne0t JhttpH
HTT
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE +)e&&age&+
?i%ter
4hain2ro0y
&&&
&&&
136
Re!uest rocessing HTT
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE +)e&&age&+
?i%ter
4hain2ro0y
&&&
&&&
(oe&
+ )atch -22
5defau%t pattern7
13F
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE +)e&&age&+
?i%ter
4hain2ro0y
&&&
&&&
Me&, &o &e%ect thi&
JhttpH
13G
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE +)e&&age&+
?i%ter
4hain2ro0y
&&&
&&&
(oe& + )atch -22
pattern,"/**"
pattern,"/**"
1B!
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE +)e&&age&+
?i%ter
4hain2ro0y
&&&
&&&
Me&, &o reQuire&
R"*.3#S.R
access,"hasRole(&ROLE_USER&)"
access,"hasRole(&ROLE_USER&)"
1B1
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
GEE
GEE
1B
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
?i%ter
4hain2ro0y
pattern!"/resources/**"#
'securit()intercept-url
pattern!"/resources/ad$in*css"
'/securit()http#
&&&
'/securit()http#
&&&
GEE
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
?i%ter
4hain2ro0y
1B3
Re!uest rocessing
'/securit()http#
&&&
'/securit()http#
&&&
(oe&
+re&ource&+)ain.c&&
)atch -resources-22
HTT
1BB
Re!uest rocessing
Me&, &o &e%ect JhttpH
HTT
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE +)e&&age&+
?i%ter
4hain2ro0y
'/securit()http#
&&&
'/securit()http#
&&&
1B.
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE +)e&&age&+
(oe& +re&ource&+)ain.c&&
)atch -resources-admin(css:
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
?i%ter
4hain2ro0y
'/securit()http#
&&&
'/securit()http#
&&&
pattern,"/re!ource!/a%min'c!!"
1BC
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE +)e&&age&+
(oe& +re&ource&+)ain.c&&
)atch -resources-admin(css:
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
?i%ter
4hain2ro0y
'/securit()http#
&&&
'/securit()http#
&&&
1B6
(e%egating
?i%ter2ro0y
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
GEE +)e&&age&+
8o, it doe& not )atch.
8o )ore pattern& for thi&
JhttpH, &o grant acce&&
?i%ter
4hain2ro0y
E0ception
Eran&%ation?i%ter
?i%ter
4hain2ro0y
'/securit()http#
&&&
'/securit()http#
&&&
*og "ut
1BF
1BG
&&&
<securit%=logout />
</securit%=ttp>
&&&
<securit%=logout />
</securit%=ttp>
JS Tags
1.!
src-main-webapp-+.%-/,F-views-header(7sp)
1.1
<2sp=root "
9mlns=sec,"http)//www*springra$ewor+*org/securit(/tags">
<sec=autoriIe access,"authenticated">
" is te user autenticated "
<span class,"na,&ar-te%t">
-elcome,
<sec=autentication
propert%,"na$e"/>
</span>
</sec=autoriIe>
"
</2sp=root>
<2sp=root "
9mlns=sec,"http)//www*springra$ewor+*org/securit(/tags">
<sec=autoriIe access,"authenticated">
" is te user autenticated "
<span class,"na,&ar-te%t">
-elcome,
<sec=autentication
propert%,"na$e"/>
</span>
</sec=autoriIe>
"
</2sp=root>
Method *evel Security
1.
1.3
<securit%=glo$al-metod-securit%
pre-post-annotations,"true"/>
<securit%=glo$al-metod-securit%
pre-post-annotations,"true"/>
MessageRepository(7ava
1.B
JAost8utoriIe('asRole(KR7<.G)S.RK!'!
Lessage find7ne(<ong id!*
JAost8utoriIe('asRole(KR7<.G)S.RK!'!
Lessage find7ne(<ong id!*
1..
Aean
2o&t2roce&&or
Shou%d < &ecure thi&
"bDectN
Application$onte)t
-e&&ageRepo&itory
1.C
Aean
2o&t2roce&&or
Me&, it ha& a Security
$nnotation on it
Application$onte)t
-e&&ageRepo&itory
1.6
Aean
2o&t2roce&&or
Rep%ace it with a
Secure i)p%e)entation
Application$onte)t
Secure
-e&&ageRepo&itory
SecureMessageRepository
1.F
public class SecureLessageRepositor% i!ple!ents
LessageRepositor% #
public Lessage find7ne(<ong id! #
// Are8utoriIe cec:s
Lessage result , delegate&find7ne(id!*
// Aost8utoriIe cec:s
return result*
+
"
// delegate , original LessageRepositor%
private LessageRepositor% delegate*
+
1.G
$t Spring"ne G#R
*
When and why wou%d < u&e "$uthN
*
-a:ing 4onnection& with Spring Socia%
WebR &pring&ource.org
*
GithubR github.co)+rwinch+getting@&tarted@&pring&ecurity@31
*
8ew&%etterR &pring&ource.org+new&@e'ent&
*
EwitterR twitter.co)+SpringSecurity twitter.co)+rob_winch
*
MouEubeR youtube.co)+u&er+SpringSource(e'
*
Lin:ed<nR &pring&ource.org+%in:edin
Learn -ore. Stay 4onnected.

Getting Started With Spring Security 3.1 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Getting Started With Spring Security 3.1 PDF

Uploaded by

Copyright:

Available Formats

Getting Started with Spring

2roteo)ic& Re&earch at Loyo%a 9ni'er&ity 4hicago 51 year7

Started profe&&iona% career a& 2ERL contractor in 3igh Schoo%

(ataba&e, L($2, 4$S, "pen<(, 2re@$uthentication, cu&to), etc

You might also like