Simple Spring Security Demo Using Eclipse Maven Project

Role Based Spring Security

I will show you how to integrate Spring Security with a Spring MVC web application to secure a URL access.

Step 1:
Lets see Dependencies required for implementing spring security. 
Note :: only security related dependencies are added here u will require to add other dependencies required by ur project like spring-webmvc, spring web etc.
<dependency> <groupid>org.springframework.security</groupId> <artifactid>spring-security-web</artifactId> <version>4.2.3.RELEASE</version> </dependency> <dependency> <groupid>org.springframework.security</groupId> <artifactid>spring-security-core</artifactId> <version>4.2.3.RELEASE</version> </dependency> <dependency> <groupid>org.springframework.security</groupId> <artifactid>spring-security-config</artifactId> <version>4.2.3.RELEASE</version> </dependency> <dependency> <groupid>org.springframework.security</groupId> <artifactid>spring-security-taglibs</artifactId> <version>4.2.3.RELEASE</version> </dependency>

Step 2:
Configure your Spring Security Filter Chain in Web.xml <web-app> <display-name>Archetype Created Web Application</display-name> <servlet> <servlet-name>dispatcher</servlet-name> <servlet-class> org.springframework.web.servlet.DispatcherServlet </servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>dispatcher</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/application-security.xml</param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener> </web-app>


Step 3:
Create a xml file in WEB-INF folder name it as application-security.xml  as  we have defined this name inside web.xml file. Write below code in this file.



<beans xmlns="http://www.springframework.org/schema/beans" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tx="http://www.springframework.org/schema/tx" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <security:http auto-config="true" use-expressions="true" > <security:intercept-url pattern="/" access="permitAll"/> <security:intercept-url pattern="/admin/*" access="hasRole('ADMIN')"/> <security:form-login login-processing-url="/login" username-parameter="username" password-parameter="password" login-page="/login" default-target-url="/welcome" authentication-failure-url="/fail2login" /> <security:logout logout-url="/logout1" logout-success-url="/logout" /> <security:csrf disabled="true"/> </security:http> <security:authentication-manager> <security:authentication-provider> <security:jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username,password,enable from User where username=?" authorities-by-username-query="select u1.username, u2.authority from User u1, Userrole u2 where u1.userid = u2.userid and u1.username =?" /> </security:authentication-provider> </security:authentication-manager> </beans>

NOTE:  User and UserRole are a tables in database connected to dataSource bean. User has columns userid,username, password and enable whereas Userrole has columns userid  and authority.

Step 4:

Create a Login Page:


<%@ page language="java" isELIgnored="false" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <%@ taglib uri="http://www.springframework.org/tags" prefix="spring" %> <%@ taglib uri="http://www.springframework.org/tags/form" prefix="form" %> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Log In</title> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"> <!-- jQuery library --> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script> <!-- Latest compiled JavaScript --> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> </head> <body style="background-color: #ffdd99"> <div class="container"> <c:if test="${error=='true'}"> <div class="errorblock"> Your login attempt was not successful, try again. </div> </c:if> <c:if test="${not empty logoutmsg }"> <div class="logoutblock"> <c:out value="${logoutmsg}" /> </div> </c:if> <form role="form" action="<c:url value='login' /> " method="post" > <div class="form-group"> <label for="username">UserName:</label> <input style="width: 20%;" type="text" id="username" name="username" class="form-control" /> </div> <div class="form-group"> <label for="password">Password:</label> <input style="width: 20%;" type="password" id="password" class="form-control" name="password" /> </div> <button type="submit" class="btn btn-default" >Submit</button> </form> <h4> Not A User ? <a href="Register">Sign Up Here</a></h4> </div> </body> </html>

Step 5:
Create a new Controller class  called it as LoginController.


package com.education.controllers; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.validation.Valid; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler; import org.springframework.stereotype.Controller; import org.springframework.stereotype.Service; import org.springframework.ui.Model; import org.springframework.ui.ModelMap; import org.springframework.validation.BindingResult; import org.springframework.validation.annotation.Validated; import org.springframework.web.bind.annotation.ModelAttribute; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.servlet.ModelAndView; @Controller public class LogonController { @RequestMapping(value="/login") public String Login() { return "Login"; } @RequestMapping(value="/fail2login", method=RequestMethod.GET) public ModelAndView loginerror(ModelMap model) { return new ModelAndView("Login","error",true); } @RequestMapping(value="/logout", method=RequestMethod.GET) public ModelAndView logout(HttpServletRequest request, HttpServletResponse response) { Authentication auth=SecurityContextHolder.getContext().getAuthentication(); if(auth!= null) { new SecurityContextLogoutHandler().logout(request, response, auth); } return new ModelAndView("Login","logoutmsg","Logged out Successfully"); } @RequestMapping(value = "/welcome", method = RequestMethod.GET) public String printWelcome() { return "index"; } }

Step 6:
Authorize and restrict links using spring security tags according to your project for example:


<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> <%@ taglib uri="http://www.springframework.org/security/tags" prefix="security" %> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> <nav style="background-color:#ff0055;" class="navbar navbar-default"> <div class="container-fluid"> <div class="navbar-header"> <a class="navbar-brand" href="#"><label style="color: white">My School </label></a> </div> <ul class="nav navbar-nav"> <li class="active"><a style="color: white" href="/">Home </a></li> <li><a style="color: white; font-family: serif; font-size: large; " href="/contactus"> Contact Us</a></li> <li><a style="color: white; font-family: serif; font-size: large; " href="/aboutus"> About us</a></li> <security:authorize access="hasRole('ROLE_ADMIN')"> <li><a style="color: white; font-family: serif; font-size: large; " href="/admin/home" >ADMIN HOME</a></li> </security:authorize> </ul> <ul class="nav navbar-nav navbar-right"> <security:authorize access="isAnonymous()"> <li><a style="color: white; font-family: serif; font-size: large; " href="/Register"> <span class="glyphicon glyphicon-user"></span> Register</a></li> <li><a style="color: white; font-family: serif; font-size: large; " href="<c:url value='/login' />"> <span class="glyphicon glyphicon-log-in"></span> Login</a></li> </security:authorize> <security:authorize access="isAuthenticated()"> <li><span class="glyphicon"></span><h4 style="color:White;"> Welcome <%= request.getUserPrincipal().getName() %></h4> </li> <security:authorize access="hasRole('ROLE_USER')"> <li><a style="color: white; font-family: serif; font-size: large; " href="<c:url value='/user/home'/>"><span class="glyphicon glyphicon-hand-right"></span>USER HOME</a></li> </security:authorize> <li><a style="color: white; font-family: serif; font-size: large; " href='<c:url value="/logout1" />' class="btn btn_primary"> <span class="glyphicon glyphicon-log-out"></span> Logout </a></li> </security:authorize> </ul> </div> </nav>