In this tutorial, we will show you how to integrate Spring Security with a Spring MVC web application to secure a URL access. After implementing Spring Security, to access the content of an “admin” page, users need to key in the correct “username” and “password”.
Technologies used :
- Spring 3.2.8.RELEASE
- Spring Security 3.2.3.RELEASE
- Eclipse 4.2
- JDK 1.6
- Maven 3
Note Spring Security 3.0 requires Java 5.0 Runtime Environment or higher
1. Project Demo
2. Directory Structure
Review the final directory structure of this tutorial.
3. Spring Security Dependencies
To use Spring security, you need spring-security-web and spring-security-config.
pom.xml
1.6
3.2.8.RELEASE
3.2.3.RELEASE
1.2
org.springframework
spring-core
${spring.version}
org.springframework
spring-web
${spring.version}
org.springframework
spring-webmvc
${spring.version}
org.springframework.security
spring-security-web
${spring.security.version}
org.springframework.security
spring-security-config
${spring.security.version}
jstl
jstl
${jstl.version}
4. Spring MVC Web Application
A simple controller :
If URL =/welcome or /, return hello page.
If URL =/admin, return admin page.
Later, we will show you how to use Spring Security to secure the “/admin” URL with a user login form.
HelloController.java
package com.mkyong.web.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class HelloController {
@RequestMapping(value = { "/", "/welcome**" }, method = RequestMethod.GET)
public ModelAndView welcomePage() {
ModelAndView model = new ModelAndView();
model.addObject("title", "Spring Security Hello World");
model.addObject("message", "This is welcome page!");
model.setViewName("hello");
return model;
}
@RequestMapping(value = "/admin**", method = RequestMethod.GET)
public ModelAndView adminPage() {
ModelAndView model = new ModelAndView();
model.addObject("title", "Spring Security Hello World");
model.addObject("message", "This is protected page!");
model.setViewName("admin");
return model;
}
}
Two JSP pages.
hello.jsp
<%@page session="false"%>
Title : ${title}
Message : ${message}
admin.jsp
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page session="true"%>
Title : ${title}
Message : ${message}
Welcome : ${pageContext.request.userPrincipal.name} | " > Logout
从上面的代码可以看到,spring security的信息是保存在userPrincipal中的
mvc-dispatcher-servlet.xml
/WEB-INF/pages/
.jsp
5. Spring Security : User Authentication
Create a Spring Security XML file.
spring-security.xml
It tells, only user “mkyong” is allowed to access the /admin URL.
6. Integrate Spring Security
To integrate Spring security with a Spring MVC web application, just declares DelegatingFilterProxy` as a servlet filter to intercept any incoming request.
web.xml
Spring MVC Application
mvc-dispatcher
org.springframework.web.servlet.DispatcherServlet
1
mvc-dispatcher
/
org.springframework.web.context.ContextLoaderListener
contextConfigLocation
/WEB-INF/spring-security.xml
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
spring security就是一个过滤器,spring mvc就是一个servlet。
7. Demo
That’s all, but wait… where’s the login form? No worry, if you do not define any custom login form, Spring will create a simple login form automatically.
- Welcome Page –
http://localhost:8080/spring-security-helloworld-xml/welcome
spring-security-helloworld-welcome - Try to access
/adminpage, Spring Security will intercept the request and redirect to/spring_security_login, and a predefined login form is displayed.
spring-security-helloworld-login - If username and password is incorrect, error messages will be displayed, and Spring will redirect to this URL
/spring_security_login?login_error.
spring-security-helloworld-login-error -
If username and password are correct, Spring will redirect the request to the original requested URL and display the page.
spring-security-helloworld-admin