Spring Web Security

Spring Security uses Spring EL for expression support and you should look at how that works if you are interested in understanding the topic in more depth. Expressions are evaluated with a “root object” as part of the evaluation context. Below is the configuration for “applicationContext.xml”. Security will be active for any url with pattern /admin. Only user with ADMIN role can access this resource. For this spring config is:

To permit all users to a particular resource user:

To block any other request use:

<security:intercept-url pattern="/**" access="denyAll" />

security form login can be setup as:

<security:form-login login-page="/login.htm" default-target-url="/welcome.htm" 
	authentication-failure-url="/login.htm?error=incorrect_creds" 
	username-parameter="username" password-parameter="password" />

For logout:

<security:logout logout-success-url="/login.htm" />

Users are also configured in spring configuration file. It can also be configured to authenticate users from some datasource like ldap.

Full “applicationContext.xml”

<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
	http://www.springframework.org/schema/security
	http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

	<security:http auto-config="true" use-expressions="true">
		<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
		<logout logout-success-url="/admin" />
		<security:intercept-url pattern="/403.htm" access="permitAll" />
		<security:intercept-url pattern="/login*" access="permitAll" />

		<security:form-login login-page="/login.htm" default-target-url="/admin.htm" 
			authentication-failure-url="/login.htm?error=incorrect_creds" 
			username-parameter="username" password-parameter="password" />
	</http>

	<authentication-manager>
	  <authentication-provider>
	   <user-service>
		<user name="john" password="password" authorities="ROLE_USER" />
		<user name="mike" password="password" authorities="ROLE_ADMIN" />
	   </user-service>
	  </authentication-provider>
	</authentication-manager>

</beans:beans>

—————-

Spring security filtering in web.xml

<!-- Spring Security -->
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy
		</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>