Monday, August 31, 2009

Spring Security - Basics

During the last days I had the assignment to secure a spring based application I currently work on. Although I had no experience integration spring security into an application, I decided to use this standard technology rather than writing my own security layer.

The task to accomplish was well-defined:


  • provide a form-based login mechanism

  • authenticate the user against a local database

  • role/group information are not required since they arise from the data that will be processed by the application
  • support the user with complete and meaningful error messages



Unfortunately the documentation which is available for spring security (M3) is not very exhaustive and thus not helpful in order to reach the designated goal quickly. Thus I dug myself through various sources including forum posts, javadocs, documentation of earlier spring security versions and sourcecode. Finally I had a set of information which helped me to assemble a login module for my application.

Basic configuration


<b:beans xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd>

<security:http entry-point-ref="customAuthenticationEntryPoint"
session-fixation-protection="newSession" access-denied-page="/index.jsp">
<security:logout logout-success-url="/index.jsp" invalidate-session="true"/>
<security:anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
<security:intercept-url pattern="/dialogs/**" access="ROLE_USER"/>
<security:intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS"/>
</security:http>


<authentication-manager alias="authenticationManager"/>

<b:bean id="customAuthenticationManager" class="CustomAuthenticationManager">
<b:property name="userService" ref="userService"/>
<b:property name="passwordEncryptionAlgorithm" value="SHA"/>
<b:property name="baseRoleName" value="ROLE_USER"/>
</b:bean>

<b:bean id="customizedUrlAuthenticationFailureHandler" class="CustomAuthenticationFailureHandler">
<b:property name="defaultFailureUrl" value="/index.jsp"/>
</b:bean>

<b:bean id="customizedFormLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationProcessingFilter" >
<security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
<b:property name="authenticationManager" ref="customAuthenticationManager"/>
<b:property name="allowSessionCreation" value="true"/>
<b:property name="authenticationFailureHandler" ref="customizedUrlAuthenticationFailureHandler"/>
</b:bean>

<b:bean id="customAuthenticationEntryPoint" class="CustomAuthenticationEntryPoint">
<b:property name="loginFormUrl" value="/index.jsp"/>
</b:bean>


</b:beans>


security:http

The first block configures the security layer as such. It defines the entry point into the layer (customAuthenticationEntryPoint) where all requests will be redirected to, the urls to secure (intercept-url) and the logout behavior (logout-success-url).

customAuthenticationManager

The customAuthenticationManager bean implements the core authentication behavior. Incoming requests that belong to an user session which has not passed the security layer before are handled by this bean. It overrides the authenticate method and performs the necessary principal and credentials checks.

customizedUrlAuthenticationFailureHandler

The customizedUrlAuthenticationFailureHandler defines the steps to carry out in case the authentication fails. In this case I created a new one next to the standard implementation since I had the requirement to implement a special error handling.

customizedFormLoginFilter

The customizedFormLoginFilter defines that the application uses the basic username / password scheme to authenticate new users. Spring security also provides implementations for open id authentication or CAS.

customAuthenticationEntryPoint

The customAuthenticationEntryPoint defines the class that provides the implementation of the authentication entry point of the security layer. All incoming requests will be directed into this class. I use the commence method to remove all previous error messages.

As you can see, the configuration (and implementation) of a custom spring security login filter is straight forward. Since I did not want to overflow the blog with source code, I omitted it. If you are interested in it, feel free to contact me.
Created by um No comments:

Friday, August 21, 2009

FileUpload with Richfaces

The other day I had an assignment to write a CSV upload and download interface for a JSF (Richfaces) based web application. On first sight, that isn't a really tricky task since it was realised many times before by a lot of people - including me. Therefore I was quite confident to implement that feature quite quickly ... until it came to the point where I tried out what I implemented. Unfortunately, the file was not uploaded although my code wrote the correct filename to the log output. This is my sourcecode:

public void uploadListener(final UploadEvent uploadEvent) {
UploadItem uploadItem = uploadEvent.getUploadItem();
String fileName = uploadItem.getFileName();
String csvFile = new String(uploadItem.getData());
...
}

The method signature follows the requirements set by richfaces in order for a method to receive incoming upload events. Usually the upload item variable should contain all required information, especially the required file data.

The reason why the upload item is not filled as expected, is the AJAX filter option createTempFile which is set to true by default. Under these circumstances the uploaded file data will not be made available to the upload item variable, but is written into a temporary file on disk. To change this behavior, its necessary to switch the config option of org.ajax4jsf.Filter to true in the web.xml.


Created by um No comments:
Labels: , , , ,

Initial Commit

Hello everybody and welcome to my new blog. I guess most people starting a blog have thoroughly planned the topics they want to write about. Actually I did the same, but writing an inital post to introduce the blog and its author is much harder than expected. I could write a long essay about me, my work and how I made the decision to start this blog - probably most people would be bored beyond belief. Therefore I omit that and give you a quick summary about me and the topics you can expect from the upcoming posts.

Who am I?
My name is Christian Kreutzfeldt and I work as a software engineer in Hamburg / Germany. Mainly I deal with a lot of topics that are associated with the development of enterprise software written in JAVA. Actually I work on a project that deals with the definition and implementation of a role and permission management.

What can you expect?
As you can read in the nice textare that covers my face in the page header, I stumble upon a lot of interesting topics during my day-by-day work. I plan to use this blog as a kind of reference book for myself as well as an information assembly for others. Most topics that I will cover will be associated with J2EE in the one or another way.
Created by um No comments:
Labels: , ,
Subscribe to: Posts (Atom)