Authentication using Spring Security


What is Authentication?  Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true. (Wiki) . Spring Security provides a security solution which is very portable. By moving the application from one environment to another there is almost zero configuration change. Security is completely portable at application war level. Spring support many different authentication models which includes HTTP Basic Authentication, Form Based Authentication, LDAP , etc. We will only focus on basic authentication.

Step 1:

Filter Declaration in web.xml to filter the matching URL and delegate it to be handled by Spring Security infrastructure.

<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Step 2:

Web Security Service Configuration:

Here the parent element is <http. Elements are intercept-url which have the pattern which will be check against the requesting URL once matched the role will be checked in access attribute.

For Basic authentication model putting the attribute auto-config=’true’ will do the track.

<http auto-config='true'>
    <intercept-url pattern="/**" access="ROLE_USER" />
</http>

For Form Base authentication the login page url should be explicitly determinted

 <http auto-config='true'>
    <intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/**" access="ROLE_USER" />
    <form-login login-page='/login.jsp'/>
  </http>

Step 3:

Configuring a provider manager:

ProviderManager is an authentication manager implementation that delegates
responsibility for authentication to one or more authentication providers.

It can use many different identity repositories (Database, LDAP etc ) to authenticate the principle. Let’s take authentication against a database. A DaoAuthenticationProvider is a simple authentication provider that uses a Data Access Object (DAO) to retrieve user information.

Bean userDetailsService must implement interface userDetails which have method loadUserByUsername where username is passed for which a UserDetails
object must be retrieved.

<bean id="authenticationManager">
<property name="providers">
<list>
<ref local="daoAuthentication" />
</list>
</property>
</bean>

<bean id="daoAuthentication">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>

Step 4:

Creating simple login page with Spring Security Tags:

<%@ page import="org.springframework.security.ui.webapp.AuthenticationProcessingFilter" %>
<%@ page import="org.springframework.security.ui.AbstractProcessingFilter" %>
<%@ page import="org.springframework.security.AuthenticationException" %>

...
<form action="j_spring_security_check">
	<label for="j_username">Username</label>
	<input type="text" name="j_username" id="j_username" <c:if test="${not empty param.login_error}">value='<%= session.getAttribute(AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY) %>'</c:if>/>
	<br/>
	<label for="j_password">Password</label>
	<input type="password" name="j_password" id="j_password"/>
	<br/>
	<input type='checkbox' name='_spring_security_remember_me'/> Remember me on this computer.
	<br/>
	<input type="submit" value="Login"/>
</form>
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: