Spring Security hello world example

In this tutorial, we will show you how to integrate Spring Security with a Spring MVC web application to secure a URL access. After implementing Spring Security, to access the content of an “admin” page, users need to key in the correct “username” and “password”.
Technologies used :

  • Spring 3.2.8.RELEASE
  • Spring Security 3.2.3.RELEASE
  • Eclipse 4.2
  • JDK 1.6
  • Maven 3

Note Spring Security 3.0 requires Java 5.0 Runtime Environment or higher

1. Project Demo

2. Directory Structure

Review the final directory structure of this tutorial.


spring-security-helloworld-directory

3. Spring Security Dependencies

To use Spring security, you need spring-security-web and spring-security-config.

pom.xml

<properties> 
    <jdk.version>1.6</jdk.version> 
    <spring.version>3.2.8.RELEASE</spring.version>        
    <spring.security.version>3.2.3.RELEASE</spring.security.version>  
    <jstl.version>1.2</jstl.version> 
</properties> 
<dependencies> 
    <!-- Spring dependencies --> 
    <dependency> 
        <groupId>org.springframework</groupId> 
        <artifactId>spring-core</artifactId> 
        <version>${spring.version}</version> 
    </dependency> 
    <dependency> 
        <groupId>org.springframework</groupId> 
        <artifactId>spring-web</artifactId>
        <version>${spring.version}</version> 
    </dependency> 
    <dependency> 
        <groupId>org.springframework</groupId> 
       <artifactId>spring-webmvc</artifactId> 
       <version>${spring.version}</version> 
    </dependency> 
    <!-- Spring Security --> 
    <dependency> 
        <groupId>org.springframework.security</groupId> 
        <artifactId>spring-security-web</artifactId> 
        <version>${spring.security.version}</version> 
    </dependency> 
    <dependency> 
        <groupId>org.springframework.security</groupId> 
        <artifactId>spring-security-config</artifactId> 
        <version>${spring.security.version}</version> 
    </dependency> 
    <!-- jstl for jsp page --> 
    <dependency> 
        <groupId>jstl</groupId> 
        <artifactId>jstl</artifactId> 
        <version>${jstl.version}</version> 
    </dependency> 
</dependencies>

4. Spring MVC Web Application

A simple controller :
If URL =/welcome or /, return hello page.
If URL =/admin, return admin page.
Later, we will show you how to use Spring Security to secure the “/admin” URL with a user login form.

HelloController.java

package com.mkyong.web.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class HelloController {  
    
    @RequestMapping(value = { "/", "/welcome**" }, method = RequestMethod.GET)  
    public ModelAndView welcomePage() {     
        
        ModelAndView model = new ModelAndView();
    model.addObject("title", "Spring Security Hello World");        
        model.addObject("message", "This is welcome page!");                  
        model.setViewName("hello");     
        return model;   
    }   

    @RequestMapping(value = "/admin**", method = RequestMethod.GET) 
    public ModelAndView adminPage() {       
        
        ModelAndView model = new ModelAndView();        
        model.addObject("title", "Spring Security Hello World");        
        model.addObject("message", "This is protected page!");        
        model.setViewName("admin");     
        return model;   
    }
}

Two JSP pages.

hello.jsp

<%@page session="false"%>
<html>
    <body>  
        <h1>Title : ${title}</h1>       
       <h1>Message : ${message}</h1>    
    </body>
</html>

admin.jsp

<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page session="true"%>
<html>
    <body>  
        <h1>Title : ${title}</h1>   
        <h1>Message : ${message}</h1>   
       <c:if test="${pageContext.request.userPrincipal.name != null}">   
          <h2>Welcome : ${pageContext.request.userPrincipal.name} | <a href="<c:url value="/j_spring_security_logout" />" > Logout</a></h2>     
        </c:if>
    </body>
</html>

从上面的代码可以看到,spring security的信息是保存在userPrincipal中的

mvc-dispatcher-servlet.xml

<beans xmlns="http://www.springframework.org/schema/beans"     
    xmlns:context="http://www.springframework.org/schema/context"      
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   
    xsi:schemaLocation=
        "http://www.springframework.org/schema/beans 
         http://www.springframework.org/schema /beans/spring-beans-3.0.xsd  
         http://www.springframework.org/schema/context
         http://www.springframework.org/schema/context/spring-context-3.0.xsd"> 

    <context:component-scan base-package="com.mkyong.*" />  
    <bean    class="org.springframework.web.servlet.view.InternalResourceViewResolver">    
        <property name="prefix">        
            <value>/WEB-INF/pages/</value>   
        </property>  
        <property name="suffix">        
            <value>.jsp</value>  
        </property> 
    </bean>
</beans>

5. Spring Security : User Authentication

Create a Spring Security XML file.

spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"     
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"       
    xsi:schemaLocation="http://www.springframework.org/schema/beans  
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd     
    http://www.springframework.org/schema/security  
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">    
    <http auto-config="true">       
        <intercept-url pattern="/admin**" access="ROLE_USER" /> 
    </http> 
    <authentication-manager>     
        <authentication-provider>    
            <user-service>      
                <user name="mkyong" password="123456" authorities="ROLE_USER" />     
           </user-service>   
        </authentication-provider>  
    </authentication-manager>
</beans:beans>

It tells, only user “mkyong” is allowed to access the /admin URL.

6. Integrate Spring Security

To integrate Spring security with a Spring MVC web application, just declares DelegatingFilterProxy` as a servlet filter to intercept any incoming request.

web.xml

<web-app id="WebApp_ID" version="2.4"   
    xmlns="http://java.sun.com/xml/ns/j2ee"     
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"     
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee     
    http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">   
    <display-name>Spring MVC Application</display-name> 

    <!-- Spring MVC --> 
    <servlet>       
        <servlet-name>mvc-dispatcher</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>        
        <load-on-startup>1</load-on-startup>    
    </servlet>  
    
    <servlet-mapping>       
        <servlet-name>mvc-dispatcher</servlet-name>     
        <url-pattern>/</url-pattern>    
    </servlet-mapping>  

    <listener>      
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>    
    </listener> 
    
    <!-- Loads Spring Security config file -->  
    <context-param>     
        <param-name>contextConfigLocation</param-name>      
        <param-value>/WEB-INF/spring-security.xml</param-value>
    </context-param>    

    <!-- Spring Security -->    
    <filter>        
         <filter-name>springSecurityFilterChain</filter-name>
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy </filter-class> 
    </filter>   
    <filter-mapping>        
        <filter-name>springSecurityFilterChain</filter-name>        
        <url-pattern>/*</url-pattern>   
    </filter-mapping>

</web-app>

spring security就是一个过滤器,spring mvc就是一个servlet。

7. Demo

That’s all, but wait… where’s the login form? No worry, if you do not define any custom login form, Spring will create a simple login form automatically.

  1. Welcome Page –http://localhost:8080/spring-security-helloworld-xml/welcome
    spring-security-helloworld-welcome
  2. Try to access /admin page, Spring Security will intercept the request and redirect to /spring_security_login, and a predefined login form is displayed.
    spring-security-helloworld-login
  3. If username and password is incorrect, error messages will be displayed, and Spring will redirect to this URL /spring_security_login?login_error.
    spring-security-helloworld-login-error
  4. If username and password are correct, Spring will redirect the request to the original requested URL and display the page.


    spring-security-helloworld-admin
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 206,482评论 6 481
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 88,377评论 2 382
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 152,762评论 0 342
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 55,273评论 1 279
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 64,289评论 5 373
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 49,046评论 1 285
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,351评论 3 400
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,988评论 0 259
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 43,476评论 1 300
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,948评论 2 324
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 38,064评论 1 333
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,712评论 4 323
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,261评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,264评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,486评论 1 262
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 45,511评论 2 354
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,802评论 2 345

推荐阅读更多精彩内容