Spring Security Authorized Access
In this section, you will learn about authorized access through Spring Security.
In this section, you will learn about authorized access through Spring Security.Spring Security Authorized Access
In this section, you will learn about authorized access through Spring Security.
EXAMPLE
Sometimes you need to secure your page from unauthorized access. Authorized access is the secure access of page through a permitted username and password. For example, the admin section page can only have permission for admin only.
In the below example, we will ensure secure URL access by providing auto generated Login form using Spring Security. User needs to provide correct login credential to view the page. For accessing admin section, you need to provide admin login and password. While for user section, both admin and user login are permitted.
The tools and technologies used in the below example is given below :
- jdk1.6.0_18
- apache-tomcat-6.0.29
- Eclipse 3.5.1
- Spring 3.0.5.RELEASE
- Spring Security 3.0.5.RELEASE
You can implement user authenticity(in spring-security.xml ) as follows :
<http auto-config="true"> <intercept-url pattern="/admin*" access="ROLE_ADMIN" /> <logout logout-success-url="/admin" /> <intercept-url pattern="/index*" access="ROLE_USER,ROLE_ADMIN" /> <logout logout-success-url="/index" /> </http>
It means the user with authority as ROLE_ADMIN can have access to URL /admin . Also, the URL /index is open for both type of users having authority ROLE_USER or ROLE_ADMIN .
The project structure and jar file used is given below :
CODE
web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5"> <display-name>SpringSecurityAuthorizedAccessCustomLogin</display-name> <servlet> <servlet-name>Dispatcher</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>Dispatcher</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/Dispatcher-servlet.xml, /WEB-INF/spring-security.xml </param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd"> <http auto-config="true"> <intercept-url pattern="/admin*" access="ROLE_ADMIN" /> <logout logout-success-url="/admin" /> <intercept-url pattern="/index*" access="ROLE_USER,ROLE_ADMIN" /> <logout logout-success-url="/index" /> </http> <authentication-manager> <authentication-provider> <user-service> <user name="user" password="roseindia" authorities="ROLE_USER" /> <user name="admin" password="deepak" authorities="ROLE_ADMIN" /> </user-service> </authentication-provider> </authentication-manager> </beans:beans>
Dispatcher-servlet.xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd"> <context:component-scan base-package="net.roseindia" /> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix"> <value>/WEB-INF/views/</value> </property> <property name="suffix"> <value>.jsp</value> </property> </bean> <bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource"> <property name="basenames"> <list> <value>LoginMsg</value> </list> </property> </bean> </beans>
LoginController.java
package net.roseindia;
import java.security.Principal;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class LoginController {
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String welcomeAdmin(ModelMap model, Principal principal) {
String username = principal.getName();
model.addAttribute("user", username);
model.addAttribute("msg", "Spring Security - ADMIN PAGE");
return "welcome";
}
@RequestMapping(value = "/index", method = RequestMethod.GET)
public String printMessage(ModelMap model, Principal principal) {
String username = principal.getName();
model.addAttribute("user", username);
model.addAttribute("msg", "Spring Security-USER LOGIN");
return "welcome";
}
}
LoginMsg.properties
AbstractUserDetailsAuthenticationProvider.badCredentials=Wrong username\ /\ password
OUTPUT
When you call the below URL :
http://localhost:9090/SpringSecurityAuthorizedAccess/admin
You will get the following page :
And if you try to login with user login(Username-user,Password-roseindia), you will get the below error message :
And if your login is admin login(Username-admin, Password-deepak) , you will get the following page :
