Tuesday, January 21, 2014

Spring Course: V91 - V113 Spring Security and Managing Users

V91: Servlets Filters: A Review
just to remember normal servlet filter, firstly you add a filter class

and sure you should add the filter definition to the web.xml



V92: Adding Spring Security Filter
in this tutorial we will add a spring security filter in order to check if users has access or not
1- firstly you should add the following libraries to pom.xml spring-security-core, spring-security-web, spring-security-config.

2- you should add DeligatingFilterProxy to web.xml

3- we will add a new security-context.xml to handle the security beans, insure that security scheme is there

4- also be sure that you add the security-context.xml to web.xml

V93: Adding a Spring Login Form
we will continue here in adding a spring form
in spring you can authenticate users based on LDAP, or a database that contains users or ...
in this tutorial we will authenticate users based on a predefined list that will be defined in security-context.xml

1- add <security:authentication-manager> to the secuirty-context.xml

as you can see we defined an authentication-provider inside, and we defined a list of users.

2- now you should define which urls should ask for login information,

as you can see we have the pattern "/**" with denyAll, which means all urls need authentication, then we start to add exceptions like "/offers" with permitAll users, and "/offerecreated" with isAuthenticated() which means they can enter if they were authenticated before

Note: "/**" will prevent access to all urls, even to css
Note: in case the user is not authenticated Spring will redirect us to a login page to enter username and password.

V94: Serving Static Resources: Access Rules
in this tutorial we will give access to our css files.

if you remember we defined the following in previous tutorials:

mvc:resources has access to the resources folder which currently has this url /static/**
we will give access to this url by adding a "permitAll" access in secuirty-context.xml


V95: Customising the Login Form
in this tutorial we will set a custom login page, not the default page that spring provide:
1- create a login page, login.jsp
2- define a login controller:


as you can see the LoginController will return the user to login.jsp.

3- now you should tell spring to use the login page, you do that in the security-context.xml


V96: Displaying Error Page
in this tutorial we will add an error in case the username or password is wrong.
1- in security-context.xml we should add this


we set the authentication-failure-url to go to the same page but with error querystring

2- now in the login.jsp we will add some logic to handle the error

V97: Authorising Users from a Database
here we will authenticate users using a table in the database.

1- as you remeber we have defined a datasource before in dao-context.xml
2- now we should define an authetication provider

3- you should have these tables in the database
users(username,password) and authorities(username, authority).

4- in case you dont have the default tables structure, you should add authorities-by-username-query and users-by-username-queries to <security:jdbc-user-service>

V98: Making the “Create Account” Form Work
there is nothing related to Spring in this tutorial, he created a new jsp page with Create Account form, and a new controller, also he added User DAO.



V99: Making the “Create Account” Form Work
there is no new spring stuff here.

V100: Adding Validation to the User Form
nothing new here

V101: Dealing With Duplicate Username
also nothing here

V102: Storing Validation Messages in a Property File
in this tutorial we will see how to write the error messages in Property file.

1- we will create a new package and a property file inside.
the package is com.spring.web.messages
and the property file is messages.properties

2- we should add the following bean

as you can see, the bean is from class ResourceBundleMessageSource
and we set the basename as the path to the property file

3- inside the property file, the properties should be of this style
Error.class.property
for example, to set the message for string size error in User class for the property userName. the entry will be
Size.user.username = asdf asdfasdfa


4- we dont add anything in the user class

Spring will do the mapping for us

V103: Using JQuery to verify the password
Nothing new here

V104: Using Property File Values in JSPs
in this tutorial we will see how to read the properties that we defined before in JSP file

lets say you have this property in the property file
MatchedPasswords.user.password = Passwords match.

to read this property in JSP file 
 as you can see we added fmt taglib, and we use <fmt:message>

V105: Adding a Logout Link
simply we create a logout.jsp, we added a controller for that, and then we add this to security-context.xml



Video 106: Working With Roles
here we will allow user to see a page if they have a certain role.
from a previous tutorial, we created Authorities table to add user authorities, you can add whatever authorities you like there, and then add the following to the security-context.xml



as you can see we use hasRole('admin')

Video 107: Outputting Text Based on Authentication Status
here we will do something like, dont show this link if the user is not logged in,
we will do that in jsp pages.



as you can see we are user the sec tag library and <sec:authorize> 

Video 108: Row Mapping with BeanPropertyRowMapper

as you can see in jdbc.query we are using BeanPropertyRowMapper, this will map the returned value to User.class and returns List<User>

Video 109: Using Custom Authentication Queries: Case Sensitive Usernames


we said before that you can write your own database queries to authenticate users (you can do that if you have different table structure for example).

the previous picture shows how you can do this.

Video 110: Method-Level Access Controlb
before we were preventing users to enter a specific URL based on a ROLE, now we are gonna provide Method-level access.

1- in security-context.xml we will enable annotation for this matter.


2- you do this for methods:

as you can see we use @Secured for this matter.

Video 111: Catching Secure Annotation Violation
in the picture above, if a user try to call create method and he doesn't have ADMIN or USER roles, spring will throw AccessDeniedException ,  you can catch and handle this exception.
you can define a global execption to handle the exception and redirect the user to wherever you want



other way to handle is to create a jsp page and redirect users to that page if they don't have access

1- create denied.jsp
2- add a controller to go to denied.jsp

3- add the following to security-context.xml
as you can see we added security:access-denied-handler to point to that page.

Video 112: Adding "Remember Me" Functionality

to configure the default session timeout, you should set the value in web.xml


we use <session-timeout> to set this value.

to add remember me functionality,
1- in security-context.xml we add

as you can see we add <security:remember-me> the key is just a key you can give any name, the user-service-ref is the id of the authentication-provider that you want to use

4- now you add remember me checkbox in the html page:

as you can see the name must be "_spring_security_remember_me"

Video 113: Encrypting Password
in this tutorial we will save encrypted password in the database and compare encrypted password.

1- add StandardPasswordEncoder bean to security-context.xml

2- you should tell the Authentication-Manager that we are using encrypted password:

3- encrypt the password before you do any database operation:


No comments:

Post a Comment