Friday, May 3, 2013

Spring Security - form based login + user details in XML + url based access control

this will be the first article that i am writing about the practical implementation of the Spring Security. throughout this article i am expecting to how the Spring Security framework is practically integrated with your Spring MVC Web Application. 

 Those who are new to Spring MVC can refer Spring MVC Web Application article before proceeding with this article. others can download the below source code to continue with this article.


expectation of this article is to discuss the following areas.

1. Form based user authentication with XML based userDetailsService
    (this userDetailsService is known as the In-Memory user detail service)

2. URL based access control with Spring Security


first open the project with your IDE.In my case, i am using Intelli J IDEA.  then you will see the overall project file and directory structure as follows.



then we can proceed with Spring Security Integration for this web application.

first we will look at why spring security is such important. as you are aware, each application can have several user levels. each user level is attached with set of  specific privileges known as user permissions. we should be able to restrict/grant the access for the different areas of the application based on the user level permissions. in order to archive that purpose, we will be using spring security framework. simply, Spring security will be used to control the user access (Access Control) of the application.


the application has not been integrated with the spring security framework yet. therefore you will find following security vulnerabilities of this application.

  1. non-authenticated users(guests) can access the home page dedicated for the authenticated users.    
        http://localhost:8080/spring-mvc-sample/user/home

  1. non-authenticated users(guests) can access the home page dedicated for the admin users.
         http://localhost:8080/spring-mvc-sample/user/admin/welcome


Now we are going to integrate the Spring Security framework with this web application to fix those security vulnerabilities. you can refer the following step to to integrate spring security with sample Spring MVC application given above.


  • first add the Spring Security maven dependency for the pom.xml file.
  •  then do the following spring security filter mapping in the web.xml file
    
  • then add a spring configuration xml file called spring-security.xml directly under the WEB-INF directory of the web application.  your spring-security.xml file should contains following security configurations and declarations.
      

  • finally location of the spring-security.xml file should be passed to the Spring Framework's ContextLoaderListener as contextConfiguration parameter. that can be done by modifying the contextConfigurationLocation parameter of the web.ml as follows.


Now you have successfully integrated your web application with Spring Security Framework.


now you can use following login credentials to check whether the above identified security vulnerabilities still exist.

User Credentials (who has ROLE_USER)

username : chathuranga
password : admin

Admin User Credentials (who has ROLE_ADMIN and ROLE_USER)

username : darshana
password : admin

completed source code of this post can be found at GitHub


i think this post might help you to get some understading of spring security.

Thanks and Regards
Chathuranga Tennakoon
chathuranga.t@gmail.com
http://lk.linkedin.com/in/chathurangatennakoon


No comments:

Post a Comment