just to remember normal servlet filter, firstly you add a filter class
and sure you should add the filter definition to the web.xml
V92: Adding Spring Security Filter
in this tutorial we will add a spring security filter in order to check if users has access or not
1- firstly you should add the following libraries to pom.xml spring-security-core, spring-security-web, spring-security-config.
2- you should add DeligatingFilterProxy to web.xml
3- we will add a new security-context.xml to handle the security beans, insure that security scheme is there
4- also be sure that you add the security-context.xml to web.xml
V93: Adding a Spring Login Form
we will continue here in adding a spring form
in spring you can authenticate users based on LDAP, or a database that contains users or ...
in this tutorial we will authenticate users based on a predefined list that will be defined in security-context.xml
1- add <security:authentication-manager> to the secuirty-context.xml
as you can see we defined an authentication-provider inside, and we defined a list of users.
2- now you should define which urls should ask for login information,
as you can see we have the pattern "/**" with denyAll, which means all urls need authentication, then we start to add exceptions like "/offers" with permitAll users, and "/offerecreated" with isAuthenticated() which means they can enter if they were authenticated before
Note: "/**" will prevent access to all urls, even to css
Note: in case the user is not authenticated Spring will redirect us to a login page to enter username and password.
V94: Serving Static Resources: Access Rules
in this tutorial we will give access to our css files.
if you remember we defined the following in previous tutorials:
mvc:resources has access to the resources folder which currently has this url /static/**
we will give access to this url by adding a "permitAll" access in secuirty-context.xml
V95: Customising the Login Form
in this tutorial we will set a custom login page, not the default page that spring provide:
1- create a login page, login.jsp
2- define a login controller:
as you can see the LoginController will return the user to login.jsp.
3- now you should tell spring to use the login page, you do that in the security-context.xml
V96: Displaying Error Page
in this tutorial we will add an error in case the username or password is wrong.
1- in security-context.xml we should add this
we set the authentication-failure-url to go to the same page but with error querystring
2- now in the login.jsp we will add some logic to handle the error
here we will authenticate users using a table in the database.
1- as you remeber we have defined a datasource before in dao-context.xml
3- you should have these tables in the database
users(username,password) and authorities(username, authority).
4- in case you dont have the default tables structure, you should add authorities-by-username-query and users-by-username-queries to <security:jdbc-user-service>
V98: Making the “Create Account” Form Work
there is nothing related to Spring in this tutorial, he created a new jsp page with Create Account form, and a new controller, also he added User DAO.
V99: Making the “Create Account” Form Work
there is no new spring stuff here.
V100: Adding Validation to the User Form
nothing new here
V101: Dealing With Duplicate Username
also nothing here
V102: Storing Validation Messages in a Property File
in this tutorial we will see how to write the error messages in Property file.
1- we will create a new package and a property file inside.
the package is com.spring.web.messages
and the property file is messages.properties
2- we should add the following bean
as you can see, the bean is from class ResourceBundleMessageSource
and we set the basename as the path to the property file
3- inside the property file, the properties should be of this style
for example, to set the message for string size error in User class for the property userName. the entry will be
Size.user.username = asdf asdfasdfa
4- we dont add anything in the user class
Spring will do the mapping for us
V103: Using JQuery to verify the password
Nothing new here
V104: Using Property File Values in JSPs
in this tutorial we will see how to read the properties that we defined before in JSP file
lets say you have this property in the property file
MatchedPasswords.user.password = Passwords match.
to read this property in JSP file
as you can see we added fmt taglib, and we use <fmt:message>
simply we create a logout.jsp, we added a controller for that, and then we add this to security-context.xml
Video 106: Working With Roles
here we will allow user to see a page if they have a certain role.
from a previous tutorial, we created Authorities table to add user authorities, you can add whatever authorities you like there, and then add the following to the security-context.xml
as you can see we use hasRole('admin')
Video 107: Outputting Text Based on Authentication Status
here we will do something like, dont show this link if the user is not logged in,
we will do that in jsp pages.
as you can see we are user the sec tag library and <sec:authorize>
Video 108: Row Mapping with BeanPropertyRowMapper
as you can see in jdbc.query we are using BeanPropertyRowMapper, this will map the returned value to User.class and returns List<User>
Video 109: Using Custom Authentication Queries: Case Sensitive Usernames
the previous picture shows how you can do this.
Video 110: Method-Level Access Controlb
before we were preventing users to enter a specific URL based on a ROLE, now we are gonna provide Method-level access.
1- in security-context.xml we will enable annotation for this matter.
2- you do this for methods:
as you can see we use @Secured for this matter.
Video 111: Catching Secure Annotation Violation
in the picture above, if a user try to call create method and he doesn't have ADMIN or USER roles, spring will throw AccessDeniedException , you can catch and handle this exception.
you can define a global execption to handle the exception and redirect the user to wherever you want
other way to handle is to create a jsp page and redirect users to that page if they don't have access
1- create denied.jsp
2- add a controller to go to denied.jsp
3- add the following to security-context.xml
as you can see we added security:access-denied-handler to point to that page.
Video 112: Adding "Remember Me" Functionality
to configure the default session timeout, you should set the value in web.xml
we use <session-timeout> to set this value.
to add remember me functionality,
1- in security-context.xml we add
as you can see we add <security:remember-me> the key is just a key you can give any name, the user-service-ref is the id of the authentication-provider that you want to use
4- now you add remember me checkbox in the html page:
as you can see the name must be "_spring_security_remember_me"
Video 113: Encrypting Password
in this tutorial we will save encrypted password in the database and compare encrypted password.
1- add StandardPasswordEncoder bean to security-context.xml
2- you should tell the Authentication-Manager that we are using encrypted password:
3- encrypt the password before you do any database operation: