Copyright © 2010 Skyway Software
Abstract
This tutorial details the steps required to add Spring Security to a Spring MVC web application using MyEclipse for Spring.
Table of Contents
Spring Security provides a set of security services that integrate with Spring-based applications, and MyEclipse for Spring makes it easy to bootstrap an application with Spring Security support. The Scaffold Spring Security wizard is designed to guide you through the bootstrapping process. In addition to selecting a security realm, you can also specify which services and URLs need to be secured.
Spring Security scaffolding options:
Database - using a DB security realm configured to use a scaffolded set of database tables (users and authorities)
LDAP - using LDAP security realm
In-Memory - using an in-memory security realm
The goal of the scaffolding wizard is to get you setup and running on the most commonly used security realms. However Spring Security has support for many more security realms and security options than are supported by the Spring Security wizard. If your application requires one of the supported security realms, then the wizard will do most (if not all) of the bootstrapping and configuration work. If your application requires a security realm this isn't supported by the scaffolding wizard, then the wizard can still help you with basic Spring Security bootstrapping, and the detailed configuration will be left to you to complete.
This tutorial is going to walk you through using the Scaffold Spring Security wizard to add Spring Security to an existing web application. As a starting point this tutorial will use a previously scaffolded application (see Spring MVC scaffolding tutorial in Tutorials). For this tutorial we're going to use the In-Memory security realm. While it's uncommon to use the in-memory security realm in production applications, it's a great security realm to use during development, because it doesn't require integration with an LDAP system or database system. The in-memory security realm is the quickest way to introduce authentication and authorization, and it can be replaced with a more robust security realm at a later time (i.e. during testing or for production).
The prerequisites needed to complete this tutorial are
CustomersApp Web Project - this scaffolded Spring MVC application was created using the Spring Scaffolding tutorial that is available in the Eclipse help system and online (under MyEclipse for Spring Education Materials)
Let's use the Scaffold Spring Security wizard to bootstrap and configure the CustomersApp project
Right-click on the CustomersApp project, and choose MyEclipse > Scaffold Spring Security...
The first wizard panel is an introduction to wizard. Note that the sidebar of all MyEclipse for Spring wizards will have links to relevant online resources. Click the Next button.
The next step is to select the security type for bootstrapping. As explained earlier the goal is to setup the project to use an in-memory security realm, so select the In Memory option. Click the Next button.
Next the wizard will scan the project for Spring services (@Service) and DAOs (@Repository), and they will be listed in the Secure Services panel. By default all discovered Spring services and DAOs will be secured upon completion of the wizard, but you have the option of unchecking the items that don't need to be secured and/or changing the access attribute for the service. For this tutorial just stick with the defaults. Click the Next button.
The next step is to specify the URLs that should be secured. For this tutorial we're going to just stick with the defaults. Click the Next button.
The next panel will let you specify the views for Spring Security. This panel is configured by default to use some custom views that will also be generated as part of the wizard. There's nothing that needs to be changed on this panel. Just click the Next button.
The last step is to specify the target folders for any generated files. By default the Spring context files will be generated to the /resources folder, and the JSP pages will generated to the web root folder. There's nothing that needs to be changed on this panel. Just click the Next button.
The final wizard panel will summarize the configuration so that you can review it prior to the wizard actually implementing it. Click the Finish button to bootstrap the project according to the information you provided in the wizard.
That's it. Once the wizard is complete the project project has been bootstrapped and configured with Spring Security.
If you expand the project, you will see that some new files were added to the project. Two Spring security context files were generated. The first one (CustomerApp-generated-security-context.xml) has the bulk of the Spring Security configuration. Several JSP pages were also generated into the WebRoot folder. The JSP pages contain custom login and logout implementations, which can be customized or rebranded.
To deploy the application, right-click on the CustomersApp project and select Run As --> MyEclipse Server Application.
The first thing you'll notice is that the dashboard page has a Login button, to proactively login into the application. However the application has been configured to automatically direct the end-user to the login when a secured resource is accessed by the end-user. To see how this functions, click on the View Customers button.
Since te View Customers page uses a Spring service and DAO that is secured, the end-user is directed to the login page. While Spring Security has a default login page, the application is using a custom login page that was generated by the scaffolding wizard to match the look-and-feel of the scaffolded application. Login in using admin for the user and admin for the password.
Since we're using the in-memory security realm, the user accounts (including username and password) are configured in the security context file (CustomerApp-generated-security-context.xml). You change accounts and their associated roles by editing the context file.
After a successfully login the end-user will be automatically redirected to the original page (protected resource) that they tried to access. You will notice that the header shows a welcome message with the user id and a Logout button.
That's the end of the Spring Security scaffolding tutorial.
What was your experience with this tutorial? Share your experience with us by completing a very brief survey.
Thank you for you interest in MyEclipse for Spring. If you are interested in learning more, the following developer resources are available:
Developer Resources
Reference - Eclipse Help (MyEclipse for Spring 8.6 --> MyEclipse for Spring Reference) or Education Materials (online)
Tutorials - Eclipse Help (MyEclipse for Spring 8.6 --> Tutorials) or Education Materials (online)
Screencasts - MyEclipse for Spring YouTube Channel (online)
Support Forums - MyEclipse for Spring Forums (online)
Blog - MyEclipse for Spring Posts (online)
