Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security example

I am learning Spring and trying to implement Springs Security. I am not able to understand how it works. I read tutorials from which I understood the following:

  1. we have to configure web.xml for delegating proxy and pattern
  2. we need to add intercepts to dispatcher-servlet.xml

When request is made it triggers intercepts but after that I am unable to understand how it works. It would be helpful if somebody could provide a list of steps to be followed. I am using Hibernate and Spring (both with annotations), I want to authenticate users using Hibernate.

like image 519
Manish Mahajan Avatar asked Mar 18 '14 15:03

Manish Mahajan


People also ask

What is Spring Security with example?

Spring Security Configuration is using Builder Pattern and based on the authenticate method, some of the methods won't be available later on. For example, auth. userDetailsService() returns the instance of UserDetailsService and then we can't have any other options, such as we can't set DataSource after it.

What is Spring Security for?

Spring Security is the primary choice for implementing application-level security in Spring applications. Generally, its purpose is to offer you a highly customizable way of implementing authentication, authorization, and protection against common attacks.

How Spring Security is used in Spring boot with example?

For adding a Spring Boot Security to your Spring Boot application, we need to add the Spring Boot Starter Security dependency in our build configuration file. Maven users can add the following dependency in the pom. xml file. Gradle users can add the following dependency in the build.


1 Answers

A detailed article can be found here: Code Project
Or a tutorial with MVC and Spring Security here.

I tried to illustrate the process a little bit: enter image description here

  1. The user sends a HTTP-Request to the server
  2. The server processes the request according to the web.xml
  3. The web.xml contains a filter (AKA interceptor) and passes the request through this filter.
  4. Because the user is unknown/not authenticated, Spring Security does its best to get more details.
    Depending on the config, it
    • sends an HTTP header, so that a login popup pops up in the browser (client side).
    • redirects to a form where you can enter username and password.
    • does a lot of hidden interaction between server and browser to guarantee a "Single-Sign-On" (SSO)
  5. Except for SSO the user enters her/his/its credentials and create an additional request.
  6. Spring Security realizes the login attempt and authenticates the user against a
    • file with user and passwords
    • a built-in XML structure in a spring config file
    • a database
    • an LDAP
  7. When the access is granted, it assignes the necessary roles...
  8. ...and redirects to hard-coded "home page". (Spring Security let's you adjust this behaviour.)
  9. In your application you can check the authorization for certain actions
  10. .....
  11. The user clicks on "logout" or the session expires. With the next request the process starts again.

Annotations

I found a tutorial here (Link).

I understood/assume the following facts:

  • The filters still must be defined in the web.xml.
  • You can annotate your classes/methods with
    • @Controller (API)
    • @Secured (API)
    • @RequestMapping (API)

I admit that I only gave you a rough overview, because your question is not that specific.

Please let me know what you want to learn in detail (re-recognize users, authenticate against different resources, do a SSO, create a secured area on your webpage,...)

like image 149
Markus Avatar answered Oct 05 '22 23:10

Markus