I am trying to integrate Spring Security in my project. I have followed the documentation given here: https://spring.io/guides/gs/securing-web/ Instead of Spring Boot, I have configured everything using XML. My <code>web.xml</code> is: <pre class="prettyprint lang-xml prettyprint-override"><code><listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <servlet> <servlet-name>dispatcher</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>*.css</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>*.js</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>dispatcher</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> </code></pre> <code>dispatcher-servlet.xml</code>: <pre class="prettyprint"><code><context:component-scan base-package="com.name.ot" /> <bean id="resolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" /> <property name="prefix" value="/WEB-INF/" /> <property name="suffix" value=".jsp" /> </bean> </code></pre> And my view controller is: <pre class="prettyprint"><code>@Controller public class HomeController{ @RequestMapping(value={"/", "/home"}, method = RequestMethod.GET) public ModelAndView home() { ModelAndView model = new ModelAndView("home"); return model; } @RequestMapping(value={"/hello"}, method = RequestMethod.GET) public ModelAndView hello() { ModelAndView model = new ModelAndView("hello"); return model; } @RequestMapping(value={"/login"}, method = RequestMethod.GET) public ModelAndView login() { ModelAndView model = new ModelAndView("login"); return model; } } </code></pre> My security class: <pre class="prettyprint"><code>@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/home").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .permitAll(); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } } </code></pre> But, I am able to access all the pages, <code>/</code>, <code>/home</code>, <code>/hello</code>, <code>/login</code>. I don't want the user to directly access <code>/hello</code>, without going in <code>/login</code>. What am I doing wrong?

You have to register Filter Chain Proxy. For XML configuration, see Spring Security Reference: <blockquote> When using servlet filters, you obviously need to declare them in your <code>web.xml</code>, or they will be ignored by the servlet container. In Spring Security, the filter classes are also Spring beans defined in the application context and thus able to take advantage of Spring’s rich dependency-injection facilities and lifecycle interfaces. Spring’s <code>DelegatingFilterProxy</code> provides the link between <code>web.xml</code> and the application context. When using <code>DelegatingFilterProxy</code>, you will see something like this in the <code>web.xml</code> file: <pre class="prettyprint lang-xml prettyprint-override"><code><filter> <filter-name>myFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>myFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </code></pre> </blockquote> For Java configuration and Servlet API 3+, see Spring Security Reference: <blockquote> The next step is to register the <code>springSecurityFilterChain</code> with the war. This can be done in Java Configuration with Spring’s <code>WebApplicationInitializer</code> support in a Servlet 3.0+ environment. Not suprisingly, Spring Security provides a base class <code>AbstractSecurityWebApplicationInitializer</code> that will ensure the <code>springSecurityFilterChain</code> gets registered for you. </blockquote>

Why is Spring Security not working?

I am trying to integrate Spring Security in my project.

I have followed the documentation given here: https://spring.io/guides/gs/securing-web/

Instead of Spring Boot, I have configured everything using XML.

My web.xml is:

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>default</servlet-name>
    <url-pattern>*.css</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>default</servlet-name>
    <url-pattern>*.js</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

dispatcher-servlet.xml:

<context:component-scan base-package="com.name.ot" />

<bean id="resolver"
    class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <property name="viewClass"
        value="org.springframework.web.servlet.view.JstlView" />
    <property name="prefix" value="/WEB-INF/" />
    <property name="suffix" value=".jsp" />
</bean>

And my view controller is:

@Controller
public class HomeController{

    @RequestMapping(value={"/", "/home"}, method = RequestMethod.GET)
    public ModelAndView home() {

        ModelAndView model = new ModelAndView("home");
        return model;
    }

    @RequestMapping(value={"/hello"}, method = RequestMethod.GET)
    public ModelAndView hello() {

        ModelAndView model = new ModelAndView("hello");
        return model;
    }

    @RequestMapping(value={"/login"}, method = RequestMethod.GET)
    public ModelAndView login() {

        ModelAndView model = new ModelAndView("login");
        return model;
    }
}

My security class:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }
}

But, I am able to access all the pages, /, /home, /hello, /login.

I don't want the user to directly access /hello, without going in /login.

What am I doing wrong?

How do I enable Spring Security in spring boot?

For adding a Spring Boot Security to your Spring Boot application, we need to add the Spring Boot Starter Security dependency in our build configuration file. Maven users can add the following dependency in the pom. xml file. Gradle users can add the following dependency in the build.

Is Spring Security deprecated?

Overview. Spring Security allows customizing HTTP security for features, such as endpoints authorization or the authentication manager configuration, by extending a WebSecurityConfigurerAdapter class. However, in recent versions, Spring deprecates this approach and encourages a component-based security configuration.

I had the same issue.

My solution is as mentioned in the "Spring in action" book by Craig Walls p247. You need to create an empty class that extends AbstractSecurityWebApplicationInitializer.

public class SecurityWebInitializer extends AbstractSecurityWebApplicationInitializer {}

You have to register Filter Chain Proxy.

For XML configuration, see Spring Security Reference:

When using servlet filters, you obviously need to declare them in your web.xml, or they will be ignored by the servlet container. In Spring Security, the filter classes are also Spring beans defined in the application context and thus able to take advantage of Spring’s rich dependency-injection facilities and lifecycle interfaces. Spring’s DelegatingFilterProxy provides the link between web.xml and the application context.

When using DelegatingFilterProxy, you will see something like this in the web.xml file:
<filter>
 <filter-name>myFilter</filter-name>
 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
 <filter-name>myFilter</filter-name>
 <url-pattern>/*</url-pattern>
</filter-mapping>

For Java configuration and Servlet API 3+, see Spring Security Reference:

The next step is to register the springSecurityFilterChain with the war. This can be done in Java Configuration with Spring’s WebApplicationInitializer support in a Servlet 3.0+ environment. Not suprisingly, Spring Security provides a base class AbstractSecurityWebApplicationInitializer that will ensure the springSecurityFilterChain gets registered for you.

Why is Spring Security not working?

Tags:

java

spring-mvc

spring

spring-security

adi rohan

People also ask

2 Answers

user3559338

dur

Recent Activity

Donate For Us

Why is Spring Security not working?

Tags:

java

spring-mvc

spring

spring-security

adi rohan

People also ask

2 Answers

user3559338

dur

Related questions

Recent Activity

Donate For Us