Spring Security example

Question

I am learning Spring and trying to implement Springs Security. I am not able to understand how it works. I read tutorials from which I understood the following:

1. we have to configure web.xml for delegating proxy and pattern
2. we need to add intercepts to dispatcher-servlet.xml

When request is made it triggers intercepts but after that I am unable to understand how it works. It would be helpful if somebody could provide a list of steps to be followed. I am using Hibernate and Spring (both with annotations), I want to authenticate users using Hibernate.

Answer 1

There are some good step-by-step tutorials on how to integrate spring security. For example:

For Java config: http://jtuts.com/2016/03/03/spring-security-login-form-integration-example-with-java-configuration/

For XML config: http://jtuts.com/2016/03/02/spring-security-login-form-integration-example-with-xml-configuration/

Answer 2

I think you don't have to bother with xml anymore. Now you can use Spring Boot + annotation based configuration. One of the best tutorial I found is this one: A good spring security tutorial

Answer 3

A detailed article can be found here: Code Project
Or a tutorial with MVC and Spring Security here.

I tried to illustrate the process a little bit:

1. The user sends a HTTP-Request to the server
2. The server processes the request according to the web.xml
3. The web.xml contains a filter (AKA interceptor) and passes the request through this filter.
4. Because the user is unknown/not authenticated, Spring Security does its best to get more details.
   Depending on the config, it
   • sends an HTTP header, so that a login popup pops up in the browser (client side).
   • redirects to a form where you can enter username and password.
   • does a lot of hidden interaction between server and browser to guarantee a "Single-Sign-On" (SSO)
5. Except for SSO the user enters her/his/its credentials and create an additional request.
6. Spring Security realizes the login attempt and authenticates the user against a
   • file with user and passwords
   • a built-in XML structure in a spring config file
   • a database
   • an LDAP
7. When the access is granted, it assignes the necessary roles...
8. ...and redirects to hard-coded "home page". (Spring Security let's you adjust this behaviour.)
9. In your application you can check the authorization for certain actions
10. .....
11. The user clicks on "logout" or the session expires. With the next request the process starts again.

Annotations

I found a tutorial here (Link).

I understood/assume the following facts:

• The filters still must be defined in the web.xml.
• You can annotate your classes/methods with
  • @Controller (API)
  • @Secured (API)
  • @RequestMapping (API)

I admit that I only gave you a rough overview, because your question is not that specific.

Please let me know what you want to learn in detail (re-recognize users, authenticate against different resources, do a SSO, create a secured area on your webpage,...)

Answer 4

Spring uses a dispatcher servlet for delegating the request. Spring security filters the request and checks if a valid security context is established. If so the request is passed to the dispatcher and it passes the request forward to the corresponding controller. If no security context is established, Spring security intercepts the request which means he could manipulate the request before the diespatcher servlet could process it. During this interception the request dispatcher (Servlet Specification) will be assigned to forward the request to a login page.