The task to accomplish was well-defined:
- provide a form-based login mechanism
- authenticate the user against a local database
- role/group information are not required since they arise from the data that will be processed by the application
- support the user with complete and meaningful error messages
Unfortunately the documentation which is available for spring security (M3) is not very exhaustive and thus not helpful in order to reach the designated goal quickly. Thus I dug myself through various sources including forum posts, javadocs, documentation of earlier spring security versions and sourcecode. Finally I had a set of information which helped me to assemble a login module for my application.
Basic configuration
<b:beans xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd>
<security:http entry-point-ref="customAuthenticationEntryPoint"
session-fixation-protection="newSession" access-denied-page="/index.jsp">
<security:logout logout-success-url="/index.jsp" invalidate-session="true"/>
<security:anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
<security:intercept-url pattern="/dialogs/**" access="ROLE_USER"/>
<security:intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS"/>
</security:http>
<authentication-manager alias="authenticationManager"/>
<b:bean id="customAuthenticationManager" class="CustomAuthenticationManager">
<b:property name="userService" ref="userService"/>
<b:property name="passwordEncryptionAlgorithm" value="SHA"/>
<b:property name="baseRoleName" value="ROLE_USER"/>
</b:bean>
<b:bean id="customizedUrlAuthenticationFailureHandler" class="CustomAuthenticationFailureHandler">
<b:property name="defaultFailureUrl" value="/index.jsp"/>
</b:bean>
<b:bean id="customizedFormLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationProcessingFilter" >
<security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
<b:property name="authenticationManager" ref="customAuthenticationManager"/>
<b:property name="allowSessionCreation" value="true"/>
<b:property name="authenticationFailureHandler" ref="customizedUrlAuthenticationFailureHandler"/>
</b:bean>
<b:bean id="customAuthenticationEntryPoint" class="CustomAuthenticationEntryPoint">
<b:property name="loginFormUrl" value="/index.jsp"/>
</b:bean>
</b:beans>
security:http
The first block configures the security layer as such. It defines the entry point into the layer (customAuthenticationEntryPoint) where all requests will be redirected to, the urls to secure (intercept-url) and the logout behavior (logout-success-url).
customAuthenticationManager
The customAuthenticationManager bean implements the core authentication behavior. Incoming requests that belong to an user session which has not passed the security layer before are handled by this bean. It overrides the authenticate method and performs the necessary principal and credentials checks.
customizedUrlAuthenticationFailureHandler
The customizedUrlAuthenticationFailureHandler defines the steps to carry out in case the authentication fails. In this case I created a new one next to the standard implementation since I had the requirement to implement a special error handling.
customizedFormLoginFilter
The customizedFormLoginFilter defines that the application uses the basic username / password scheme to authenticate new users. Spring security also provides implementations for open id authentication or CAS.
customAuthenticationEntryPoint
The customAuthenticationEntryPoint defines the class that provides the implementation of the authentication entry point of the security layer. All incoming requests will be directed into this class. I use the commence method to remove all previous error messages.
As you can see, the configuration (and implementation) of a custom spring security login filter is straight forward. Since I did not want to overflow the blog with source code, I omitted it. If you are interested in it, feel free to contact me.
No comments:
Post a Comment