Spring Security Overview
Spring Security is a Servlet Filter
web.xml configuration
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
1. Adds the Spring Security servlet filter
2. Applies the Spring Security servlet filter to the root URL pattern: /*
3. Adds the Spring Security HTTP Session wrapper
Loading Spring Security configuration
1. Via Spring context-param in web.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:/spring/security-config.xml
</param-value>
</context-param>
2. Via import in Spring XML configuration file
<import resource="security-config.xml"/>
3. Via programmatic configuration
@Configuration�@ImportResource("classpath:/spring/security-config.xml")�public class ApplicationConfig {
...
Specifying Authentication Managers
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="weakpassword" authorities="ROLE_SUERUSER"/>
</user-service>
</authentication-provider>
</authentication-manager>
1. Defining a single authentication manager will make it the default
<http pattern="/dashboard/**" authentication-manager-ref="webAuthenticationManager"/>
<http pattern="/mobile/**" authentication-manager-ref="mobileAuthenticationManager"/>
<authentication-manager id="webAuthenticationManager">
<authentication-provider ref="springWebSecurityService"/>
</authentication-manager>
<authentication-manager id="mobileAuthenticationManager">
<authentication-provider ref="springMobileSecurityService"/>
</authentication-manager>
2. Choose from multiple authentication managers by reference
Specifying role-based access
<http use-expressions="true">
<intercept-url pattern="/checkout" access="hasAnyRole('ROLE_SUPERUSER','ROLE_ADMIN','ROLE_CUSTOMER')"/>
</http>
1. By URL via Spring Security configuration file
Spring Security configuration:
<global-method-security pre-post-annotations="enabled"/>
Java class:
@PreAuthorize("hasAnyRole('ROLE_SUPERUSER','ROLE_ADMIN','ROLE_CUSTOMER')")
public Order processOrder(Customer customer, Cart shoppingCart) {
...
2. By method annotation
Other access restrictions
<http use-expressions="true">
<intercept-url pattern="/noc" access="hasIpAddress('192.168.1.0/24') or hasIpAddress('127.0.0.1')"/>
</http>
1. By IP address
<http use-expressions="true">
<intercept-url pattern="/message-board" access="isAuthenticated()"/>
</http>
2. As long as the user is logged-in
3. More expressions found in Spring Security's Documentation