Looking for a Simple Spring security example [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

We don’t allow questions seeking recommendations for books, 开发者_开发技巧tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.

Closed 7 years ago.

Improve this question

I am new to spring-security (Java) and I am looking for a good and simple example of:

1. How to use spring security for login and logout

2. Make sure that the session exists on every page and if not redirect to the login again

3. How get access to the current User Session

My project is currently working with spring MVC, and hibernate.

I have built the loginAPI + loginDAO, I need now to combine the security and make some of the pages secured.

I searched for tutorials, but a lot of them are very complicated.

---

Well. This is I think by far is the best i have seen so far!
http://krams915.blogspot.com/2010/12/spring-security-mvc-integration_18.html

---

You can look for a Single-Sign-On(e.g CAS) implementation in Spring Security. It'll serve your purpose completely.

Check Out :-

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/cas.html

https://wiki.jasig.org/display/CASC/Using+the+CAS+Client+3.1+with+Spring+Security

---

This is also a great example:

http://www.mkyong.com/spring-security/spring-security-form-login-example/ http://krams915.blogspot.pt/2010/12/spring-security-3-mvc-using-simple-user.html

Both of them are well documented and are easy to modify for your propose. Krams talks about LDAP using Spring Security.

---

If you haven't already watch this video by the lead developer of Spring Security. It's actually referenced on the Spring Security site but it's easy to miss. Though I do agree, good Spring Security examples are hard to come by.

---

Spring Security Tutorial by MKyong

how to perform database authentication (using both XML and Annotations) in Spring Security.

Technologies used :

Spring 3.2.8.RELEASE
Spring Security 3.2.3.RELEASE
Spring JDBC 3.2.3.RELEASE
Eclipse 4.2
JDK 1.6
Maven 3
Tomcat 6 or 7 (Servlet 3.x)
MySQL Server 5.6

SecurityConfig.java

package com.mkyong.config;

import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    DataSource dataSource;

    @Autowired
    public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {

      auth.jdbcAuthentication().dataSource(dataSource)
        .usersByUsernameQuery(
            "select username,password, enabled from users where username=?")
        .authoritiesByUsernameQuery(
            "select username, role from user_roles where username=?");
    }   

    @Override
    protected void configure(HttpSecurity http) throws Exception {

      http.authorizeRequests()
        .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
        .and()
          .formLogin().loginPage("/login").failureUrl("/login?error")
          .usernameParameter("username").passwordParameter("password")
        .and()
          .logout().logoutSuccessUrl("/login?logout")
        .and()
          .exceptionHandling().accessDeniedPage("/403")
        .and()
          .csrf();
    }
}

Spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <!-- enable use-expressions -->
    <http auto-config="true" use-expressions="true">

        <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />

        <!-- access denied page -->
        <access-denied-handler error-page="/403" />

        <form-login 
            login-page="/login" 
            default-target-url="/welcome" 
            authentication-failure-url="/login?error" 
            username-parameter="username"
            password-parameter="password" />
        <logout logout-success-url="/login?logout"  />
        <!-- enable csrf protection -->
        <csrf/>
    </http>

    <!-- Select users and user_roles from database -->
    <authentication-manager>
      <authentication-provider>
        <jdbc-user-service data-source-ref="dataSource"
          users-by-username-query=
            "select username,password, enabled from users where username=?"
          authorities-by-username-query=
            "select username, role from user_roles where username =?  " />
      </authentication-provider>
    </authentication-manager>

</beans:beans>

• In above congratulation, the /admin and sub-folders of it are all password protected.
• login-page=”/login” – The page to display the custom login form
• authentication-failure-url=”/login?error” – If authentication failed, forward to page /login?error
• logout-success-url=”/login?logout” – If logout successful, forward to view /logout
• username-parameter=”username” – The name of the request which contains the “username”. In HTML, this is the name of the input text.
• <csrf/> – Enable the Cross Site Request Forgery (CSRF) protection