spring-security Getting started with spring-security Hello Spring Security
Example
Note 1: You need some prior knowledge about java servlet page(JSP) and Apache Maven before you start this examples.
Start the web server (like Apache tomcat) with existing web project or create one.
Visit the index.jsp.
Anybody can access that page, it's insecure!
Securing application
- Update Maven dependencies
Adding dependencies to your pom.xml file
pom.xml
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.1.RELEASE</version>
</dependency>
Note 1: If you're not using "Spring" in your project before, there's no dependency about "spring-context". This example will use xml config with "spring-context". So add this dependency too.
<dependency> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> <version>4.2.2.RELEASE</version> </dependency>
Note 2: If you're not using JSTL in your project before, there's no dependency about that. This example will use JSTL in jsp page. So add this dependency too.
<dependency> <groupId>org.glassfish.web</groupId> <artifactId>javax.servlet.jsp.jstl</artifactId> <version>1.2.1</version> </dependency>
- Make Spring Security Configuration File
Make folder name "spring" inside the "WEB-INF" folder and make security.xml file. Copy and paste from next codes.
WEB-INF/spring/security.xml
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<http />
<user-service>
<user name="stackoverflow" password="pwd" authorities="ROLE_USER" />
</user-service>
</b:beans>
- Update web.xml
Update your web.xml inside the "WEB-INF" folder
WEB-INF/web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Note: If you're not using "Spring" in your project before, there's no configurations about Spring contexts load. So add this parameter and listener too.
<context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/spring/*.xml </param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener>
Running Secure web application
After running your web server and visit index.jsp you will be see the default login page that generated by spring security. Because you are not authenticated.
You can login
username : stackoverflow
password : pwd
Note: username and password setting on WEB-INF/spring/security.xml
Displaying user name
Adding jstl tag after the "Hello", that print the username
index.jsp
<h1>Hello <c:out value="${pageContext.request.remoteUser}" />!!</h1>
Logging out
index.jsp
Adding form, input tags after "Hello user name", that submitting generated logging out url /logout from spring security.
<h1>Hello <c:out value="${pageContext.request.remoteUser}" />!!</h1>
<form action="/logout" method="post">
<input type="submit" value="Log out" />
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
</form>
When you successfully log out, you see the auto generated login page again. Because of you are not authenticated now.
