CODEWITHSUNDEEP
spring
Jon
Jon

Reputation: 3194

Creating secure pages in Spring

I am creating a website using Spring and want all pages under the folder "/admin" to be secure. However don't really know where to start and only have one complicated example to go on.

At work, we store the details in a database but I was hoping it could be more simple than that, maybe stored in context.xml or something? I am confronted with this page:

enter image description here

web.xml:

    <security-constraint>
    <display-name>admin pages</display-name>
    <web-resource-collection>
        <web-resource-name>Administration Pages</web-resource-name>
        <description/>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>userAdmin</role-name>
    </auth-constraint>
    <!--  <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>-->
</security-constraint>

and in tomcat-users.xml I have the following password information:

<user password="password" roles="tomcat,role1,manager-script,manager-gui,admin,manager" username="user"/>

But when I try and access the page /admin/adminindex.htm, I get a forbidden error:

Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

Ideally I would like to store user details in the database but can't progress with either at the moment.

Upvotes: 1

Views: 695

Answers (3)

pgardunoc
pgardunoc

Reputation: 331

I would start with this:

http://docs.spring.io/autorepo/docs/spring-security/3.0.x/reference/springsecurity.html
You can also check out this project that already has the basic code to start using Spring Security

https://github.com/pgardunoc/spring-security

Upvotes: 0

pgardunoc
pgardunoc

Reputation: 331

This is how I secure applications using Spring Security, here is the web.xml

<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring-servlet.xml
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>


    <servlet>
        <servlet-name>spring</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/spring-servlet.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>spring</servlet-name>
        <url-pattern>/myapp/*</url-pattern>
    </servlet-mapping>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>



spring-security.xml


     <security:http auto-config="true" use-expressions="true" access-denied-page="/" create-session="never" disable-url-rewriting="true">

    <security:intercept-url pattern="/myapp/auth/login" access="permitAll" />
    <security:intercept-url pattern="/myapp/main/**"  access="hasRole('ROLE_USER')" />

    <security:form-login login-page="/" authentication-failure-url="/myapp/auth/login?error=true" default-target-url="/myapp/main/default"/>
    <security:logout invalidate-session="true" logout-success-url="/myapp/auth/login" logout-url="/myapp/auth/logout" />

</security:http>


In order to authenticate using a Database you can use an Authentication Manager like this in spring-security.xml



 <security:authentication-manager>
        <security:authentication-provider user-service-ref="userService">
            <security:password-encoder ref="passwordEncoder" />
        </security:authentication-provider>
    </security:authentication-manager>

Where "userService" is a service you define that has access to the Database, your service must implement org.springframework.security.core.userdetails.UserDetailsService and write the method 


 public UserDetails loadUserByUsername(String userName)
        throws UsernameNotFoundException, DataAccessException {
    UserDetails user = null;
    try {
        // Replace loadUserFromDB with your Data access method to pull the user and encrypted password from the database
        Users u = loadUserFromDB(userName);
        if(u != null)
            user = new User(u.getEmail(), u.getPassword().toLowerCase(), true, true, true, true, getAuthorities(0));
    } catch (Exception e) {
        e.printStackTrace();
    }
    return user;
 }


Spring security will use this method to secure your pages. Make sure to include this method:


    public Collection<GrantedAuthority> getAuthorities(Integer access) {
    // Create a list of grants for this user
    List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(1);
    authList.add(new GrantedAuthorityImpl("ROLE_USER"));
    authList.add(new GrantedAuthorityImpl("ROLE_ANONYMOUS"));
    return authList;
    }

Upvotes: 0

beny23
beny23

Reputation: 35018

I would look into Spring Security, which offers a plethora of options for securing websites (including DB-backed or JNDI-backed security). The tutorial may prove a good starting point.

Upvotes: 2

Related Questions