In the Spring Security Database Authentication Example, we will build a simple Spring MVC Hello World application and build our own login form for our Spring Security application which performs Authentication and Authorization from the database.
In our Spring MVC application the home page will be accessible to everyone, and we will be having admin page which will be accessible to only to the user with admin rights. When the user tries to access the admin page the user will be redirected to the custom login form which we build and asked to log in, if the credentials entered matches the admin privilege then only the user will be allowed to view the admin page.
Creating table
Create USERS and USER_ROLES Table, simply Copy and Paste the following SQL query in the query editor to get the table created.
CREATE TABLE "USERS"
(
"USERNAME" VARCHAR2(255 CHAR) NOT NULL ENABLE,
"PASSWORD" VARCHAR2(255 CHAR) NOT NULL ENABLE,
PRIMARY KEY ("USERNAME")
);
CREATE TABLE "USER_ROLES"
(
"ROLE" VARCHAR2(255 CHAR) NOT NULL ENABLE,
"USERNAME" VARCHAR2(255 CHAR) NOT NULL ENABLE,
PRIMARY KEY ("ROLE"),
CONSTRAINT fk_username FOREIGN KEY ("USERNAME") REFERENCES USERS("USERNAME")
);
insert into USERS (USERNAME,PASSWORD) values ('admin', 'password');
insert into USER_ROLES (ROLE, USERNAME) values ('ROLE_ADMIN','admin');
Folder Structure:
- Create a simple Maven Project “SpringSecurityDatabase” and create a package for our source files “com.javainterviewpoint” under src/main/java
- Now add the following dependency in the POM.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.javainterviewpoint</groupId> <artifactId>SpringSecurtiyDatabase</artifactId> <packaging>war</packaging> <version>0.0.1-SNAPSHOT</version> <name>SpringSecurtiyDatabase Maven Webapp</name> <url>http://maven.apache.org</url> <properties> <spring.version>4.3.7.RELEASE</spring.version> <security.version>4.0.3.RELEASE</security.version> </properties> <dependencies> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>3.8.1</version> <scope>test</scope> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.1.0</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>${spring.version}</version> </dependency> <!-- Spring Security --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${security.version}</version> </dependency> <!-- Spring JDBC dependency --> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-jdbc</artifactId> <version>${security.version}</version> </dependency> <dependency> <groupId>jstl</groupId> <artifactId>jstl</artifactId> <version>1.2</version> </dependency> <!-- Oracle dependency --> <dependency> <groupId>com.oracle</groupId> <artifactId>ojdbc14</artifactId> <version>11.2.0</version> </dependency> </dependencies> <build> <finalName>SpringSecurtiyDatabase</finalName> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> <version>3.6.1</version> <configuration> <source>1.8</source> <target>1.8</target> </configuration> </plugin> </plugins> </build> </project> - Create the Java class HelloController.java under com.javainterviewpoint folder.
- Place the SpringConfig-servlet.xml,SpringSecurity.xml and web.xml under the WEB-INF directory
- View files login.jsp, and admin.jsp are put under the sub directory under WEB-INF/Jsp, index.jsp under webapp directory
Spring Security Database Authentication Example
web.xml
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1"> <servlet> <servlet-name>SpringConfig</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <!-- <init-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/SpringConfig-servlet.xml, /WEB-INF/SpringSecurity.xml </param-value> </init-param> --> </servlet> <servlet-mapping> <servlet-name>SpringConfig</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- Loads Spring Security configuration file --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/SpringConfig-servlet.xml, /WEB-INF/SpringSecurity.xml </param-value> </context-param> <!-- Spring Security filter --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
- The web.xml has everything about the application that a server needs to know, which is placed under the WEB-INF directory. It contains the name of the SpringConfiguration file, when the DispatcherServlet is initialized the framework will try to load a configuration file “[servlet-name]-servlet.xml” under the WEB-INF directory. We will also be mentioning the location of the SpringSecurity.xml
- Spring Security depends on the Servlet filter, we will be using the filter “DelegatingFilterProxy” which provides the link between web.xml and application context. (Note : The filter name should only be “springSecurityFilterChain” )
Equivalent of web.xml
package com.javainterviewpoint.config;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
public class SpringMvcInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] { AppConfig.class };
}
@Override
protected Class<?>[] getServletConfigClasses() {
return null;
}
@Override
protected String[] getServletMappings() {
return new String[] { "/" };
}
}
SecurityInitializer.java
package com.javainterviewpoint.config;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
}
SpringConfig-servlet.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd"> <mvc:annotation-driven></mvc:annotation-driven> <context:component-scan base-package="com.javainterviewpoint"></context:component-scan> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix" value="/WEB-INF/Jsp/" /> <property name="suffix" value=".jsp" /> </bean> </beans>
- The SpringConfig-servlet.xml is also placed under the WEB-INF directory.
- <context:component-scan> will let the Spring Container to search for all the annotation under the package “com.javainteriviewpoint”.
- <mvc:annotation-driven/> annotation will activate the @Controller, @RequestMapping, @Valid etc annotations.
- The view is resolved through “org.springframework.web.servlet.view.InternalResourceViewResolver” which searches for the jsp files under the /WEB-INF/Jsp/ directory.
Equivalent of SpringConfig-servlet.xml
package com.javainterviewpoint.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.jdbc.datasource.DriverManagerDataSource;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
import org.springframework.web.servlet.view.JstlView;
@EnableWebMvc
@Configuration
@ComponentScan({ "com.javainterviewpoint.*" })
@Import({ SecurityConfig.class })
public class AppConfig {
@Bean(name = "dataSource")
public DriverManagerDataSource dataSource() {
DriverManagerDataSource driverManagerDataSource = new DriverManagerDataSource();
driverManagerDataSource.setDriverClassName("oracle.jdbc.driver.OracleDriver");
driverManagerDataSource.setUrl("jdbc:oracle:thin:@rsh2:40051:mydb");
driverManagerDataSource.setUsername("root");
driverManagerDataSource.setPassword("root");
return driverManagerDataSource;
}
@Bean
public InternalResourceViewResolver viewResolver() {
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setViewClass(JstlView.class);
viewResolver.setPrefix("/WEB-INF/Jsp/");
viewResolver.setSuffix(".jsp");
return viewResolver;
}
}
SpringSecurity.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config='true'>
<intercept-url pattern="/admin*" access="hasRole('ROLE_ADMIN')" />
<form-login login-page="/login" authentication-failure-url="/error"
username-parameter="username" password-parameter="password" />
<csrf />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select username, password, 1 as enabled from users where username=?"
authorities-by-username-query="select username,role from user_role where username=?" />
</authentication-provider>
</authentication-manager>
<beans:bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<beans:property name="driverClassName" value="oracle.jdbc.driver.OracleDriver" />
<beans:property name="url" value="jdbc:oracle:thin:@rsh2:40051:mydb" />
<beans:property name="username" value="root" />
<beans:property name="password" value="root" />
</beans:bean>
</beans:beans>
- The <http> tag allows you to configure the Security Settings and access constraints for the web application.
- We have used the <form-login> tag, so when ever the user tries to login into our application he will be authenticated with help of the form-login configuration. Lets get some basic understanding of the <form-login> tag.
- login-page : This the name of our custom login page.
- authentication-failure-url : Page to which the user has to be forwarded if he has entered invalid credentials
- username-parameter : Name of the username field
- password-parameter : Name of the password field
- csrf : This is to enable the Cross Site Request Forgery (CSRF) protection, this will be by default disabled.
- The <intercept-url> element defines the pattern which will be matched against the URLs of the incoming requests, the access attribute validates the role which is required for accessing the URL.
- <authentication-manager> tag has authentication properties through which the user will have access to different pages.
- <authentication-provider> tag specifies the username and password. In our application, jdbc-user-service to connect to Database.
- users-by-username-query – Authenticates the user
- authorities-by-username-query – Validates the Role of the User
Equivalent to SpringSecurity.xml
package com.javainterviewpoint.config;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
DataSource dataSource;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource)
.usersByUsernameQuery("select username, password, 1 as enabled from users where username=?")
.authoritiesByUsernameQuery("select username,role from user_roles where username=?");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin*").access("hasRole('ROLE_ADMIN')")
.and()
.formLogin().loginPage("/login").failureUrl("/error")
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/logout")
.and()
.csrf();
}
}
HelloController.java
package com.javainterviewpoint;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class HelloController
{
@RequestMapping("/admin")
public ModelAndView admin()
{
Authentication authentication = SecurityContextHolder.getContext()
.getAuthentication();
String welcomeMessage = "Welcome "+authentication.getName()+"!!";
return new ModelAndView("admin", "welcomeMessage", welcomeMessage);
}
@RequestMapping("/error")
public String error(ModelMap model)
{
model.addAttribute("error", "true");
return "login";
}
@RequestMapping("/login")
public String login()
{
return "login";
}
@RequestMapping("/logout")
public String logout(ModelMap model)
{
Authentication authentication = SecurityContextHolder.getContext()
.getAuthentication();
authentication.setAuthenticated(false);
model.addAttribute("logout", "true");
return "login";
}
}
- Our HelloController has
- admin() – when the user hits on the URL “/admin” this method gets called and the user will be redirected to the login page, only when the user keys in a valid credentials he will be allowed see the “admin.jsp”. Additionally we have obtained the username from the SecurityContextHolder and pass it to login page
- Additionally we have added login(), logout() and error() methods for redirecting to the respective pages.
index.jsp
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <html> <head> <title>Spring Security</title> </head> <body> <h2>Spring Security Authentication and Authorization Example with Database - Home Page!!!</h2> <br> <h4> <a href="admin">Access Admin Page</a> </h4> </body> </html>
admin.jsp
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Spring Security Authentication and Authorization - Admin
Page</title>
</head>
<body>
<h2>Spring Security Authentication and Authorization - Admin Page</h2>
<h3>${welcomeMessage}</h3>
<br>
<form action="logout" method="post">
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
<input type="submit" value="Logout">
</form>
</body>
</html>
login.jsp
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Custom Login Page</title>
</head>
<body>
<h3>Custom Login Page</h3>
<%
String error = (String) request.getAttribute("error");
if (error != null && error.equals("true"))
{
out.println("<h4 style=\"color:red\">Invalid login credentials. Please try again!!</h4>");
}
String logout = (String) request.getAttribute("logout");
if (logout != null && logout.equals("true"))
{
out.println("<h4 style=\"color:green\">You have logged out successfully!!</h4>");
}
%>
<form action="<c:url value='login' />" method='POST'>
<table>
<tr>
<td>User:</td>
<td><input type='text' name='username' value=''></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='password' /></td>
</tr>
<tr>
<td><input name="submit" type="submit" value="Login" /></td>
<td><input name="reset" type="reset" /> <input type="hidden"
name="${_csrf.parameterName}" value="${_csrf.token}" /></td>
</tr>
</table>
</form>
</body>
</html>
we have added CSRF parameters in our login page to prevent the CSRF attacks.
<input name="reset" type="reset" /> <input type="hidden"
name="${_csrf.parameterName}" value="${_csrf.token}" />
Output
Hit on the URL : http://localhost:8080/SpringSecurityDatabase/
Hit on the URL : http://localhost:8080/SpringSecurityDatabase/admin
You will be asked to login, if invalid password is entered you will get the below error and again redirected to the login page.
Only when you enter the valid credentials you will be allowed to see the admin page.
Leave a Reply