Concept Overview
Spring provides a way to implement method level security. Only users authenticated with particular roles may be allowed to access a method. There are four ways to implement method level security.
- Annotate method using @Secured
- Annotate method using JSR-250 @RolesAllowed
- Use Spring’s Pre and Post invocation Annotations
- Match method using Pointcuts
In this tutorial we look at Annotating methods using @Secured tag. The first step is to enable the annotation using
<global-method-security secured-annotations="enabled" />
The example below explains the rest.
We demonstrate method level annotation using a simple login application. The diagram below explains the application.
- aopalliance-1.0.jar
- aspectjweaver-1.6.10.jar
- cglib.jar
- commons-logging-1.1.1.jar
- embeddedwebserver.jar
- jstl-1.2.jar
- org.springframework.web.servlet.jar
- servlet-api-2.5.jar
- spring-aop-3.0.7.RELEASE.jar
- spring-asm-3.0.7.RELEASE.jar
- spring-beans-3.0.7.RELEASE.jar
- spring-context-3.0.7.RELEASE.jar
- spring-core-3.0.7.RELEASE.jar
- spring-expression-3.0.7.RELEASE.jar
- spring-jdbc-3.0.7.RELEASE.jar
- spring-security-config-3.1.4.RELEASE.jar
- spring-security-core-3.1.4.RELEASE.jar
- spring-security-taglibs-3.1.4.RELEASE.jar
- spring-security-web-3.1.4.RELEASE.jar
- spring-tx-3.0.7.RELEASE.jar
- spring-web-3.0.7.RELEASE.jar
- springsecurityusingxml.jar
- User accesses a URL on a web application
- The web application refers to web.xml
- The web.xml matches the URL pattern
- The control is redirected to DispatcherServlet in Spring framework
- Spring framework finds that the all URLs are secured. It also finds a custom login page is configured and forwards the request to the LoginController which is a Spring MVC Controller
- The LoginController redirects to the Custom Login Page
- The user enters his login name and password and submits the custom login form
- Spring performs authentication and authorization of user’s credentials against the entires in Spring Configuration file and redirects to LoginController
- LoginController displays the originally accessed URL upon successfull authentication
- User accesses the ‘Admin Page’ link
- LoginController ensures whether the logged in user has ‘ROLE_ADMIN’ authorization @Secured method level annotation and then displays the ‘Admin Page’
Create the LoginController class as shown below. This is Spring MVC Controller class. Please see Related Trail
Spring MVC Basics
for more details.
Map the request
/main
to
printWelcome()
method and redirect to main_page.jsp after setting ‘username’ attribute with the logged in user’s name. (see lines 14-21 below).
Map the request
/login
to
login()
method and redirect to login_page.jsp (see lines 23-28 below).
Map the request
/loginError
to
loginError()
method and redirect to login_page.jsp after setting the ‘error’ attribute to ‘true’. (see lines 30-35 below).
Map the request
/common
to
common()
method and redirect to common_page.jsp (see lines 37-42 below).
Note the
@Secured
annotation which demonstrates the method level security feature of Spring. It is applied for roles ‘ROLE_REGULAR_USER’ & ‘ROLE_ADMIN’ (see line 36 below).
Map the request
/admin
to
admin()
method and redirect to admin_page.jsp (see lines 44-49 below).
Note the
@Secured
annotation which demonstrates the method level security feature of Spring. It is applied for role ‘ROLE_ADMIN’ (see line 43 below).
Map the request
/logout
to
logout()
method and redirect to logout_page.jsp (see lines 51-56 below).
Create the custom login page JSP (as shown below) that is used in Spring Security .
The important aspects to note in this JSP are:
- The user name should be stored in a parameter named j_password (see line 23 below)
- The password name should be stored in a parameter named j_password (see line 28 below)
- This form should be submitted to the URL j_spring_security_check
- Login error is handled by checking for attribute named ‘error’ (see lines 9-15 below)
Create the main page JSP (as shown below).
It contains the following three links:
- /admin: To access the admin page (accessible only for ROLE_ADMIN
- /common: To access the common page (accessible only for ROLE_REGULAR_USER and ROLE_ADMIN)
- /logout: For logout
Create the Admin Page as shown below.
Create the Common Page as shown below.
Create the web.xml file as shown below.
Register Spring’s DispatcherServlet used to register handlers for processing the web request (see lines 29-38 below).
Define filter-mapping and filter for DelegatingFilterProxy (see lines 15-23 below). This filter shall delegate the call to a class that implements
javax.servlet.Filter
and is registered as Spring bean.
Note: In this example we do not have to specifically create a class that implements
javax.servlet.Filter
. This is automatically available to us when we configure our Spring configuration file using
security:http
in springmvcdispatcher-servlet.xml file described later .
Also configure that ContextLoaderListener (see lines 25-27 below).
Finally provide the location of Spring’s configuration file in web.xml (see lines 10-13 below).
Allow annotation based Spring MVC controller declaration by using
context:component-scan
tag (see line 15 below).
Enable method level security by declaring
security:global-method-security
tag (see line 17 below).
This demonstrates the Spring security declaration required for method level security.
Configure Spring security using
security:http
tag (see lines 19-23 below).
Note that when URL fragment
/main
is accessed then security interceptor will be invoked (see line 20 below) and can be accessed by a user having ‘ROLE_ADMIN’ or ‘ROLE_REGULAR_USER’ authorization.
Also note that custom login page is mentioned using
login-page
attribute (see line 21 below). The error page to be displayed is also mentioned using
authentication-failure-url
attribute (see line 22 below).
The URLs
/main
,
/login
and
/loginError
were mapped in LoginController
(described earlier)
Specify the authentication and authorization credentials for valid users (see lines 25-32 below). Note in particular the
<security:user>
tag using which the name, password and authorization role for users is specified (see lines 28-29 below).
Configure Spring such that the prefix
/views
and the suffix
.jsp
should be added to the name of the view JSP (see lines 36-43 below) as specified in return statements in all methods of LoginController class
(described earlier)
This demonstrates the spring configuration required for enabling method level security using
@Secured
annotation.
This sample program has been packaged as a jar installer which will copy the source code (along with all necessary dependencies)on your machine and automatically run the program for you as shown in the steps below. As this sample program contains Java Server Pages (JSPs), you will need Java Development Kit (JDK preferably 1.5 or higher) on your machine so that the JSPs can be complied locally. Note that no other setup is required on your machine! Also please ensure that the port 8080 is not being used by any other program on your machine.
(Alternatively you can go the folder containing the springsecuritymethodlevel-installer.jar and execute the jar using
java -jar springsecuritymethodlevel-installer.jar
command)
Note that this user has authorization ‘ROLE_REGULAR_USER’ as defined in springsecurity-servlet.xml (described earlier)
This is because the user ‘beta’ does not have the authorization of ROLE_ADMIN. See springsecurity-servlet.xml (described earlier) for more details.
Note that this user has authorization ‘ROLE_REGULAR_USER’ as defined in springsecurity-servlet.xml (described earlier)
This is because the user ‘alpha’ has the authorization of ROLE_ADMIN. See springsecurity-servlet.xml (described earlier) for more details.
This is because the user ‘alpha’ has the authorization of ROLE_REGULAR_USER. See springsecurity-servlet.xml (described earlier) for more details.
This source code for this program is downloaded in the folder specified by you (say, C:\Temp) as an eclipse project called
springsecuritymethodlevel
. All the required libraries have also been downloaded and placed in the same location. You can open this project from Eclipe IDE and directly browse the source code. See below for details of the project structure.
The WAR file for this example is available as springsecuritymethodlevel.war in the download folder specified by you earlier (e.g. C:\Temp). The path for the WAR file is <DOWNLOAD_FOLDER_PATH>/springsecuritymethodlevel/dist/springsecuritymethodlevel.war.
This WAR file can be deployed in any webserver of your choice and example can be executed.
Kindly share with us. how to create springsecuritymethodlevel-installer.jar