Skip to main content

Posts

Showing posts from March, 2010

Let us look at the Spring security filter chain

DelegatingFilterProxy

The DelegatingFilterProxy is a special filter provided by the Spring framework.It acts as a bridge connecting
the web container and spring application container. In other words it helps pipeline request processing
from the web container filter to a bean in Spring web application context.

DelegatingFilterProxy is configured in the web.xml as shown below:


<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>

  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>


DelegatingFilterProxy is essentially a dumb filter and implements no logic. Its sole responsibility is to delegate the Filter's methods through to a bean which is obtained from the Spring application context. This enables the bean to benefit from the …

Pause - lets look inside Spring Security

So far we have been quick to setup Spring Security and apply it in our application. But behind that minimal configuration and non-invasive behavior lot has been happening behind the scenes.
It is time to uncover the activities under hood, draw some diagrams to understand the framework and move ahead in style. I will not draw out all the balls from the magic box now. Instead will slowly take out one ball at a time to make it slow and easy to comprehend and assimilate.

Let us go back to the web.xml configuration. You will see that we have configured a DelegatingFilterProxy. This filter is named 'springSecurityFilterChain'. The delegating filter proxy looks for a bean named 'springSecurityFilterChain' in the root Spring web application context. So note that this name is kind of a reserved bean name and should not be used elsewhere. The delegating filter proxy as the name suggests delegates the entire security processing then to the beans declared in the Spring web applica…

Adding anonymous or guest access in Spring Security

As you have seen in my previous post the access to index.html was restricted. Whenever the user tries to access this page they were redirected to the login page. But this should not be case. The logical index.html page should be accessible to guest users as well as authenticated users.
Turning this on is just a matter of configuration. This is shown in the modified spring-security.xml file.

Listing 1 - spring.security.xml

I have now added a new intercept url line.

<intercept-url pattern="/index.html" access="IS_AUTHENTICATED_ANONYMOUSLY" />

This line makes it possible to access index.html as a guest user. Now when you click on any link on the index.html page you will be redirected to the login page in case you have not signed in.

In my next post, I will try to get into some theoretical details/framework internals before
proceeding to the next round of coding and adding additional features.

Enabling Spring Security

1> Add few more jars in your WEB-INF/lib folder.
The current view of jars is shown in the figure below.
2> Add a new member named - spring-security.xml in the WEB-INF/config folder. The contents of this file is shown in Listing 1 below:

Listing 1 - spring-security.xml
This is the bare minimum configuration you need to do to get Spring Security started. This is a great relief for those of you who had worked with earlier versions of Spring Security or its ancestor Acegi Security. You had to explicitly configure the entire filter chain. That was tedious and very cumbersome leading to lot of errors and time and effort going down the drain. Thanks Ben and team for this good change. I will explain the different elements in this configuration in future posts as the intention of this post is to quickly get started with Spring Security as promised earlier.

Step 3 - wire everything now in the web.xml. The modified web.xml looks like the one shown below.
There are a few things to note he…

Getting the security less application ready

1> Add jstl.jar (version 1.1 i guess) to your WEB-INF/lib folder
2> Modify index.jsp as shown below
Listing 1 - index.jsp 3> Add a controller for the landing or index page.
Listing 2 - EntryController.java 4> Add a controller for the upload page view
Listing 3 - UploadController.java 5> Time to launch the browser and test it on the browser.

6> Click on upload photo, you will see it is accessible to any one. But only logged on users should be able to access that page.


In the next post I will start with the first step to ensure that a user is logged in / signed in before he or she can access the upload photo page.

Adding few more JSPs and Security Requirements

Now I will add two more JSPs – one is the home page showing some dashboard information and the other is the file upload JSP which will be used to upload photos.

Listing 1 – home.jsp
Listing 2 – upload.jsp
Requirement
index.jsp should be accessible without any security filtering home.jsp should be accessible only to registered users upload.jsp should only be accessible to registered users Since the JSPs are placed under WEB-INF in any case no one can directly access it. So in the next post I will try to add a few page controllers to the scheme of things to make these pages accessible without any application security credentials.

Setting up Spring MVC 3 Web Application

Now its time to code a bit in Skyphoto. So launch Eclipe and create a dynamic web project ready to be deployed on Tomcat 6. I am assuming that readers are atleast familiar with this. Next we will do a bit of configuration and throw in some Spring 3 jar files into the WEB-INF/lib folder.
Step 1 - Configure Spring Servlets and log4j in the web application deployment descriptor.

Step 2 - log4j.xml
The log4j configuration will be very useful later to see all framework and application messages. I have set it to debug level to help understand the framework better.
Step 3 - Setting up a bare minimal spring configuration fileListing 3 - spring-web.xml
Step 4 - setup a simple jspListing 4 - index.jsp
Finally here is a view of the Eclipse project shown in Figure 1. You can very well make out the jar files you need for the time being.

Note 1 - that I am storing all configuration files under /WEB-INF/configNote 2 - donot forget to download Spring framework and Security security distributions from the…

Exploring Spring Security 3

I am finally back to writing again after an absence of almost year and half. I will try to be more regular from now now. In this edition I will start with Spring Security 3. This will be a series of posts where I will try to build a very simple photo uploading and sharing service. This is actually my PoC with Spring Security 3.

Spring Security unlike most Spring product portfolio is a not at all well documented. The tutorials available on googling are mostly outdated. Spring Security 3 certainly by look of things seems to be a very good feature rich product yet hefty beast. So here is my attempt to conquer it.




Skyphoto Basic Requirements
Securely upload photos into your account Download photos Share photos with friends and other application


In the course of this simple application development I will try to uncover most of the features of Spring Security. I will use Restful services support provided by Spring MVC so that I can expose a simple API for external applications which will co…