112 lines
4.6 KiB
Plaintext
112 lines
4.6 KiB
Plaintext
= Hello Spring Security Java Config
|
|
:author: Rob Winch
|
|
:starter-appname: insecure
|
|
:completed-appname: helloworld-jc
|
|
:include-dir: _includes
|
|
:hello-include-dir: _hello-includes
|
|
|
|
This guide provides instructions on how to add Spring Security to an existing application without the use of XML.
|
|
|
|
include::{include-dir}/setting-up-the-sample.asc[]
|
|
|
|
Verify the application is working by ensuring a page stating *TODO Secure this* is displayed at http://localhost:8080/sample/
|
|
|
|
Once you have verified the application runs, stop the application server using the following steps:
|
|
|
|
* In the Servers view select the latest tc Server
|
|
* Click the stop button (a red square) to stop the application server
|
|
|
|
include::{hello-include-dir}/secure-the-application.asc[]
|
|
|
|
=== Registering Spring Security with the war
|
|
|
|
We have created the Spring Security configuration, but we still need to register it with the war. This can be done using the following steps:
|
|
|
|
* Navigate to the *Package Explorer* view
|
|
* Right click the *org.springframework.security.samples.config* package within the *spring-security-samples-{starter-appname}* project
|
|
* Select *New->Class*
|
|
* Enter _SecurityWebApplicationInitializer_ for the *Name*
|
|
* Click *Finish*
|
|
* Replace the file with the following contents:
|
|
|
|
.src/main/java/org/springframework/security/samples/config/SecurityWebApplicationInitializer.java
|
|
[source,java]
|
|
----
|
|
package org.springframework.security.samples.config;
|
|
|
|
import org.springframework.security.web.context.*;
|
|
|
|
public class SecurityWebApplicationInitializer
|
|
extends AbstractSecurityWebApplicationInitializer {
|
|
|
|
public SecurityWebApplicationInitializer() {
|
|
super(SecurityConfig.class);
|
|
}
|
|
}
|
|
----
|
|
|
|
The `SecurityWebApplicationInitializer` will do the following things:
|
|
|
|
* Automatically register the springSecurityFilterChain Filter for every URL in your application
|
|
* Add a ContextLoaderListener that loads the <<security-config-java,SecurityConfig>>.
|
|
|
|
NOTE: Since we were not already using Spring, this is a simple way to add our <<security-config-java,SecurityConfig>>. If we were already using Spring, then we should add our <<security-config-java,SecurityConfig>> with the reset of our Spring configuration (i.e. a subclass of AbstractContextLoaderInitializer or AbstractDispatcherServletInitializer) and use the default constructor instead.
|
|
|
|
include::{hello-include-dir}/exploring-the-secured-application.asc[]
|
|
|
|
==== Displaying the user name
|
|
|
|
Now that we have authenticated, let's update the application to display the username. Update the body of index.jsp to be the following:
|
|
|
|
.src/main/webapp/index.jsp
|
|
[source,html]
|
|
----
|
|
<body>
|
|
<div class="container">
|
|
<h1>This is secured!</h1>
|
|
<p>
|
|
Hello <b><c:out value="${pageContext.request.remoteUser}"/></b>
|
|
</p>
|
|
</div>
|
|
</body>
|
|
----
|
|
|
|
WARNING: The `<c:out />` tag ensures the username is escaped to avoid http://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
|
|
|
|
Refresh the page at http://localhost:8080/sample/ and you will see the user name displayed. This works because Spring Security integrates with the <<servlet-api-integration,Servlet API methods>>
|
|
|
|
==== Logging out
|
|
|
|
Now that we can view the user name, let's update the application to allow logging out. Update the body of index.jsp to contain a log out form as shown below:
|
|
|
|
.src/main/webapp/index.jsp
|
|
[source,html]
|
|
----
|
|
<body>
|
|
<div class="container">
|
|
<h1>This is secured!</h1>
|
|
<p>
|
|
Hello <b><c:out value="${pageContext.request.remoteUser}"/></b>
|
|
</p>
|
|
<c:url var="logoutUrl" value="/logout"/>
|
|
<form class="form-inline" action="${logoutUrl}" method="post">
|
|
<input type="submit" value="Log out" />
|
|
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
|
|
</form>
|
|
</div>
|
|
</body>
|
|
----
|
|
|
|
In order to help protect against http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:
|
|
|
|
* the HTTP method must be a POST
|
|
* the CSRF token must be added to the request You can access it on the ServletRequest using the attribute _csrf as illustrated above.
|
|
|
|
NOTE: If you were using Spring MVC's tag library or Thymeleaf, the CSRF token is automatically added as a hidden input for you.
|
|
|
|
Refresh the page at http://localhost:8080/sample/ and you will see the log out button. Click the logout button and see that the application logs you out successfully.
|
|
|
|
== Conclusion
|
|
|
|
You should now know how to secure your application using Spring Security without using any XML. To learn more refer to the link:index.html[Spring Security Guides index page].
|