Jul 07
5 Minute Guide to Spring Security
Update! May 31, 2010: I have published a new book, Spring Security 3, covering many aspects of Spring Security from top to bottom. The book is targeted both at novices and intermediate to advanced users. I’d encourage you to read my blog post of the announcement, and visit the book’s web site, to determine if you think it will help you.
Although I’ve used Acegi Security in the past, I hadn’t tried it since it was renamed Spring Security and folded into the Spring Portfolio. I decided to approach its integration into a typical Spring web application with the eyes of a new user and write up my notes as a 5 minute guide to Spring Security.
Pretending to be a new user, I found the suggested steps a bit bewildering. Let’s take these one at a time, and I’ll try to help you out where the instructions are unclear:
1. First of all, deploy the “Tutorial Sample”, which is included in the main distribution ZIP file.
Aside from the weird packaging of Spring Security, it’s not clear which file this is. You should be deploying spring-security-samples-tutorial-2.0.x.war to your servlet container in the usual fashion. In the case of Tomcat, for example, use the deployment tool or drop this into your webapps directory. You should see the tutorial application in your browser. Let’s move to step 2…
2. Next, follow the Petclinic Tutorial , which covers how to add Spring Security to the commonly-used Petclinic sample application that ships with Spring.
This is pretty straightforward. The only error I found was that there is a reference to %spring-sec-tutorial%\WEB-INF\applicationContext-security-ns.xml. This should be applicationContext-security.xml instead. Note that I didn’t actually try this part of the tutorial with the Petclinic application, since I had my own test app I wanted to integrate with.
And here’s where the fun starts. Once you get past the convention over configuration convenience, you will need to customize Spring Security. One of the first things I looked for in the documentation was what all the bits in the XML namespace did. When this product was Acegi security, you could be pretty sure of looking at the Javadoc and getting documentation. Not so with XML configuration! While the Spring Framework documentation includes an excellent appendix with a reasonable level of detail on each of the namespaced XML declarations, Spring Security has nothing like this.
With convention over configuration, good documentation of the defaults becomes especially important, and it’s unfortunate the documentation isn’t really adequate in this area.
That said, I’ll try to cover a basic scenario here where we integrate Spring Security, using database-backed authentication, into an existing Spring web application. Here’s what I wanted for my example:
- Database-backed authentication
- Users have a single “role” – either plain user, or admin
- Customized login page
It’s a bit hard to cover this in 5 minutes, so I have skipped some of the stuff I hope you know already, such as use of Spring XML namespaces, and configuring simple JDBC DataSources. Please let me know if you miss this stuff! 
Getting Started
I would suggest getting started with the applicationContext-security.xml that is found in the tutorial sample, and trimming it down a bit. Here’s what I got when I trimmed it down:
<?xml version="1.0" encoding="UTF-8"?> <!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml 3019 2008-05-01 17:51:48Z luke_t $ --> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"> <global-method-security secured-annotations="enabled"> </global-method-security> <http auto-config="true"> <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> </http> <!-- Usernames/Passwords are rod/koala dianne/emu scott/wombat peter/opal --> <authentication-provider> <password-encoder hash="md5"/> <user-service> <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" /> <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" /> <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" /> <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" /> </user-service> </authentication-provider> </beans:beans> |
This makes a good baseline for the modifications we’re going to make. But first…
Mapping XML Elements to Java Code
I found it very helpful at this point, before messing with the XML, to know where the Java code was that corresponded to the available XML elements. The basic class that Spring Security uses for mapping XML elements to beans is SecurityNamespaceHandler. The code in this class simply delegates XML elements to bean definition parsers. It’s easy to follow along and map XML elements to Java code in this way. Unfortunately, don’t expect extensive commenting in the Java code to help you 
web.xml Changes
I agree with the Spring Security documentation and found it easier to extract the security-related stuff into its own XML configuration file. This allows you to play XML tricks and not require namespace-tagging for the security elements. First off, you have to include a reference to applicationContext-security.xml in your [Spring] initialization parameters in your web.xml file:
<context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/spring-app-servlet.xml /WEB-INF/applicationContext-security.xml </param-value> </context-param> |
Next, as instructed by the Spring Security getting started guide, you need to add the filter mapping. In my case, this went right after the <context-param> end tag, since I didn’t have any other filters:
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> |
This default mapping will run all requests to your application through Spring Security. Now we’re done with web.xml, and we move on to…
Database-Backed Authentication
In my case, my application was already configured to use a JDBC DataSource, so pointing Spring Security at my JDBC data source was as easy as modifying the authentication-provider element to reference my already configured Spring bean:
<authentication-provider> <jdbc-user-service data-source-ref="dataSource"/> </authentication-provider> |
Now, the immediate question I asked is – OK, what does the convention over configuration assume my database tables look like? If you look at the documentation of the JDBC authentication provider, you would expect to see that information there, but you’d be wrong.
Instead, you have to look at the SQL queries that are hard-coded in the JdbcDaoImpl class and infer the schema structure for yourself. This article has a graphical depiction of the basic schema down in section 5.4.
If you want to configure the queries that are used, simply match the available attributes on the jdbc-user-service element to the SQL queries in the Java class I referenced above. In my example, I wanted to simplify my schema by adding the user’s role directly to the user table. So I modified the XML configuration slightly as follows:
<jdbc-user-service data-source-ref="dataSource" authorities-by-username-query="select username,authority from users where username=?"/> |
This allowed me to put values in the ‘authority’ column like ‘ROLE_ADMIN’ or ‘ROLE_USER’, which translate directly into Spring Security roles!
Configuring URL authorization
Mapping URLs to roles is really easy. In your http element, simply put successive elements like this:
<intercept-url pattern="/admin/*.do" access="ROLE_ADMIN" /> <intercept-url pattern="/**.do" access="ROLE_USER,ROLE_ADMIN" /> |
Note here that the ‘access’ attribute values directly correspond to the values returned by the second column of the authorities-by-username-query. The ‘.do’ mapping is what I arbitrarily chose for my application – you may have to adjust depending on what your application’s Spring-managed URLs look like.
Configuring and Branding Spring Security-managed Pages
Finally, I wanted to figure out where the pages related to Spring Security should be configured, so that I could modify them if I needed to. Somewhat oddly, Spring Security ships with a default login page whose HTML markup is located in a class file – DefaultLoginPageGeneratingFilter. We would (obviously) like to replace this with our own custom page. Since we are authenticating everything passing through the Spring servlet, we must use a JSP for this.
Add the following to the http tag in the security configuration file:
<form-login login-page="/login.jsp" /> |
Now you need to put the login.jsp page in your web application (generally in the WEB-INF directory). The basic structure of the page you’re creating will look like this:
<%@ page import="org.springframework.security.ui.webapp.AuthenticationProcessingFilter" %> <%@ page import="org.springframework.security.ui.AbstractProcessingFilter" %> <%@ page import="org.springframework.security.AuthenticationException" %> ... <form action="j_spring_security_check"> <label for="j_username">Username</label> <input type="text" name="j_username" id="j_username" <c:if test="${not empty param.login_error}">value='<%= session.getAttribute(AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY) %>'</c:if>/> <br/> <label for="j_password">Password</label> <input type="password" name="j_password" id="j_password"/> <br/> <input type='checkbox' name='_spring_security_remember_me'/> Remember me on this computer. <br/> <input type="submit" value="Login"/> </form> |
The names of the form elements and form action must match what is shown here otherwise your login form will not work!
Note also that this is a plain ol’ JSP page, and not under Spring control. It is likely that you could play with the servlet filter patterns in web.xml to bring these pages under Spring control, but that is a topic outside the scope of this brief tutorial.
There are a couple other pages you will want to configure.
Access Denied: This is the page the user will see if they are denied access to the site due to lack of authorization (i.e. tried to hit a page that they didn’t have access to hit, even though they were authenticated properly). This is configured as follows:
<http ... access-denied-page="/accessDenied.jsp"> ... </http> |
Default Target URL: This is where the user will be redirected upon successful login. This can (and probably should) be a page located under Spring control. Configured as follows:
<http ... > ... <form-login ... default-target-url="/home.do"/> ... </http> |
Logout URL: The page where the user is redirected upon a successful logout. This can be a page located under Spring control too (provided that it allows anonymous access):
<http ... > ... <logout logout-success-url="/home.do"/> ... </http> |
Login Failure URL: Where the user will be sent if there was an authentication failure. Typically this is back to the login form, with a URL parameter, such as:
<http ... > ... <form-login ... authentication-failure-url="/login.jsp?login_error=1"/> ... </http> |
Putting it Together
Here’s what my whole sample Spring security configuration looked like when I was done:
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"> <global-method-security secured-annotations="enabled"> <!-- AspectJ pointcut expression that locates our "post" method and applies security that way <protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/> --> </global-method-security> <http auto-config="true" access-denied-page="/accessDenied.jsp"> <intercept-url pattern="/login.jsp*" filters="none"/> <intercept-url pattern="/admin/editUser.do" access="ROLE_ADMIN" /> <intercept-url pattern="/admin/searchUsers.do" access="ROLE_ADMIN" /> <intercept-url pattern="/**.do" access="ROLE_USER,ROLE_ADMIN" /> <form-login authentication-failure-url="/login.jsp?login_error=1" default-target-url="/home.do"/> <logout logout-success-url="/home.do"/> </http> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" authorities-by-username-query="select username,authority from users where username=?"/> </authentication-provider> </beans:beans> |
Wrap-Up
Ironically, just as I was drafting this article, a smart colleague of mine happened to come to me telling me about all the problems he was having getting started with Spring Security. He complained about the lack of detailed documentation on the XML, and the fact that the getting started documentation really wasn’t comprehensive (both complains that I had as well). Note that this colleague also happened to be responsible for implementing Acegi Security with Spring in a prior project that we worked on together – so he was intimately familiar with the underlying technology. He ended up going back to the Java-based configuration mechanism in frustration!
Hope this helps you out and I always appreciate hearing your comments and questions.
Related Articles
- Juggling Java has a very brief article on customizing Spring Security.
- Bart van Riel has a great tutorial on Acegi Security, which has some relevant bits around the database schema that you might find interesting.
July 8th, 2008 at 11:53 pm
[...] It’s Only Software » 5 Minute Guide to Spring Security [...]
July 10th, 2008 at 7:59 am
Awesome article, I am new to Spring Security and I have heard great things about it. I plan on using this as a useful reference for the future.
Thank you for the concrete example!
July 11th, 2008 at 11:18 am
Terrific, useful, concise. Where was this article a month ago when I REALLY needed it!
Thanks for the great article, Peter!
July 13th, 2008 at 2:44 am
Great article. My general configuration was fine, but I was having trouble with the specific details of the http XML configuration. This was a big help since the Spring documentation doesn’t say much and the distributed tutorials don’t really customize those specific attributes.
For you Struts 2 users out there (and to anyone else to whom this might apply), the above login.jsp snippet didn’t fully work because the session variable was accessed differently for me. Here’s what that became for me:
Thanks again for the help!
Cheers
July 14th, 2008 at 7:30 pm
Really nice tutorial, thanks for such a work!
It has been successfull for me!
Thanks!
July 14th, 2008 at 7:44 pm
Thanks for the feedback, everyone! Glad to see it helped some folks.
July 16th, 2008 at 7:31 pm
Way to go! This article helped me alot!!! That part is missing in the Spring documentation. THANKS!!!
July 17th, 2008 at 11:26 am
Its excellent article. If anyone wants to apply Single Session Control to logged in user do the following steps.
1) in web.xml add a listner.
2)In Spring security configuration
July 25th, 2008 at 11:00 am
[...] – bookmarked by 3 members originally found by p4style on July 14, 2008 5 Minute Guide to Spring Security http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/ – bookmarked by 4 [...]
September 12th, 2008 at 11:18 pm
What if you want the login page to be a tag definition instead of a direct jsp (e.g. instead of login.jsp, you want it to point to “login” which is a tag definition defined in your .tld file?).
September 12th, 2008 at 11:21 pm
I’m sorry, I meant tiles definition, not tag definition. And also not .tld file but tiles-definition.xml file (or whatever you decide to call your tiles definition file).
September 19th, 2008 at 1:16 pm
[...] 5 minute guide to Spring Security [...]
September 19th, 2008 at 1:29 pm
Good work. It helped me to put working Spring Security. I’m linking this article in Spring Security 2.0 and Spring 2.0.X. Please, let me know if you have some inconvenience with the linking.
Thanks.
September 19th, 2008 at 1:48 pm
@angelborroy, No inconvenience at all – I appreciate the link!
October 2nd, 2008 at 5:43 pm
very helpful!
one correction–if you’re using the schema outlined by the reference you pointed to, the authorities-by-username-query will be
select username,authority from authorities where username=?
not
select username,authority from users where username=?
thanks!
October 9th, 2008 at 8:21 pm
Thanks for posting this article! I spent a lot of time to get this working and also use a pure JSF native login page. It took a while to figure out, but it’s only 5 lines of Java in the end. And no security code. Just thought you might like to see.
My article here describes this:
[url]http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/[/url]
Let me know if this works for you, thanks.:)
November 11th, 2008 at 12:13 am
[...] a month or so after I posted my 5 Minute Guide to Spring Security 2, a commonly asked question was asked on the Spring forums. I figured I’d address it here, [...]
December 1st, 2008 at 10:40 pm
This is really a good and much more understandable guide on using spring security. I hope Spring hired you to do their manual. =) It’s so hard to understand their manual.
Thanks Peter!
Robert
December 23rd, 2008 at 1:38 pm
I can’t get this working. I’ve compared my web.xml and applicationContext.xml files with those presented here and they appear to be identical. However, when I try to view my homepage in a browser, I get this error:
java.lang.IllegalStateException: No WebApplicationContext found: no ContextLoaderListener registered?
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:159)
Any idea what I’ve done wrong here?
December 23rd, 2008 at 5:10 pm
Never mind, I found the solution. I was not declaring a context listener in my web.xml. This needed to be added to web.xml:
org.springframework.web.context.ContextLoaderListener
December 27th, 2008 at 1:11 am
Good tutorial.
Here are a few questions that would probably help many of us out there…
1.) How can we change the names of the jsp/html form?
The names of the form elements and form action must match what is shown here otherwise your login form will not work!
2.) How can we add custom objects to the UserDetailService? For example, I’d like to add fullname in with principal and credentials.
January 20th, 2009 at 1:08 am
[...] disso você deveria, obrigatoriamente, partir para um framework especializado no assunto: como o Spring Security ou [...]
February 6th, 2009 at 12:49 pm
Very good article. Congratulations!!!
But I would check in an example where we could see the application of ACLs to discrete entities, in any of three versions of the specification and configuration availables: via xml IOC Spring, Jakarta Commons Atributtes and / or annotations Java5. Thanks
February 10th, 2009 at 5:49 am
Great post! helped me a lot with Acegi stuff. Added to my reader links. BTW, if you have some time, will be great if you can share with us Spring Security and Struts integration. Is it any different?
February 17th, 2009 at 6:39 am
Thatz a nice and easy advanced article on Acegi,got rid of most of the doubghts,
Thanx.
February 24th, 2009 at 11:14 am
Good explanation. I really need to try this out now. BTW do you know by any chance if Spring Security provides Inter-Site(or Inter-Domain) SSO facility ?
Regards,
Franklin.
March 13th, 2009 at 11:40 am
Great article! Right now I just can’t wait to apply Spring Security to my project! Could you give and advice about something? I have a jsp: menu.jsp with some links and I want it to load it in a dynamic way depending with User is logged in. Every user see diferent link but I don’t want to hardcore it into diferents menus.jsp. Any idea? I know I have to store the menu link,user role in the database but I was wondering if you already now and elegant solution.
Kind regards and thanks again for te tutorial
March 14th, 2009 at 2:59 pm
Hi I just tried Spring Security and it works fine! What I want to do is after the user autentification, put some data in the session. How can I do it? Have I got to create my own Authentification Provider? Any ideas, thx!
March 17th, 2009 at 12:55 am
Hi all,
in the authentication provider I want to retrive credentials from a customtable as: select loginname,authority from users where loginname=?
when executed, it always gives me: SELECT username,password,enabled FROM users WHERE username = ?
is this defaulted somewhere?? thanks
March 20th, 2009 at 3:10 am
@alan
same problem here. can somebody enlighten us please?? it always perform a query we dont know. i know it’s some what like a default, can someone tell us how to override it?? please please??
thanks
-marcKun
March 20th, 2009 at 3:45 am
i think iv got it now; i should read the discussion more thoroughly. hehehe
@alan: i dont know if this helps but try:
-marcKun
April 24th, 2009 at 10:10 pm
Nice tutorial.
To use a custom login screen, should:
be:
?
Notice the addition of: login-page=”/login.jsp”
May 22nd, 2009 at 12:08 am
I saw the code
<%= session.getAttribute(AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY) %>in jsp page to retrieve values in session variable. I am developing an application using struts2, spring, spring security, hibernate. After user is logged in, I need to store some details about the user in a session variable so that I can retrieve the same in the jsp page. I am using spring security to authenticate the user.I would like to know how I can get hold of session variable in java class. Also how I can retrieve the same in jsp page.June 18th, 2009 at 10:47 am
Peter,
I wish there were more people like you who sit down and clear up all the crap in supposed-to-be-tutorials so that they can actually be error-free, straight-forward and understandable.
I appreciate the time you spent on writing this for frustrated developers like me to read and be happy!
Cheers,
Martin
August 7th, 2009 at 8:21 pm
Great article. This article was very helpful to jump start integrating Spring Security. The documentation wasn’t very clear on the usage of role ‘IS_AUTHENTICATED_ANONYMOUSLY’. Can you please shed some light on this topic?
August 19th, 2009 at 5:03 pm
Excellent article and it helped me a lot in understanding the spring security. Continue your good work.
September 29th, 2009 at 2:44 am
Just want to say Thank you!
September 29th, 2009 at 10:30 am
Great Article ! thanks Mr.Mularien
October 13th, 2009 at 4:18 am
Brilliant. Simple, straight forward. Wish there were more tutorials like this one (and that this came up higher on google). Cheers.
October 17th, 2009 at 12:39 pm
Thank you so much for this great post!
October 26th, 2009 at 4:51 pm
Hi, I have multiple wars and one of the war will handle login module implemented through spring security.Other wars(web modules) uses spring preauthentication to handle authorizations.I did this by putting SecurityContextholder instance in Servletcontext attribute with cookie as a key.Problem is user can time out from any web module which results in zombie Servletcontext entries.do have any solution for this. Thanks Girish
October 29th, 2009 at 6:20 am
Most of the link of the article are stale .. I could not reach..
November 21st, 2009 at 12:36 am
Excellent article. I am new to Spring and can deploy the application. I still have a question. Is there any feature in Spring such that the Servlet container will serve certain features alone to some user and everything to admin user and so on., Pls reply
Thanks,
P.RaviShankar
January 3rd, 2010 at 4:13 am
I am unable to implement this with spring2.5 frame work.
Has an body tried with spring 2.5
January 5th, 2010 at 6:32 am
@Purushotam
I just successfully integrated Spring Security(2.0.5) with Spring 2.5.6.SEC01. I use Spring MVC, but gonna implement hibernate useage later(if possible(which it most likely is)).
It takes a couple of hours ofcourse. Maybe more the less you know to begin with. I knew nothing of spring security before I successfully implemented it in my project today.
February 2nd, 2010 at 2:49 pm
Thank you for the detailed and practical tutorial!
March 21st, 2010 at 12:13 pm
My general configuration was fine, but I was having trouble with the specific details of the http XML configuration. This was a big help since the Spring documentation doesn’t say much and the distributed tutorials don’t really customize those specific attributes
March 25th, 2010 at 6:25 am
Great tutorial.
)
Really helpful – well done!:)
(especially part with logout err, good stuff
April 7th, 2010 at 11:23 pm
I’m having a little trouble with this security configuration (i’m a spring newb). I keep getting a Bad Credentials error. Can anyone help? My config is below.
<!– –>
<!– –>
<!– –>
April 8th, 2010 at 5:47 am
Guess my code didn’t post.oops
I guess my real question is; how do I use encryption correctly in this tutorial. I get the BadCredentials error because my password in my database is not encrypted and therefore does not match my user entered password encoded by Spring. How should I correctly implement either database encryption of the database pw or configure Spring to encode my database pw so it correctly compares the passwords?
I’d appreciate it if anyone can point me in the right direction.
June 2nd, 2010 at 2:51 am
I am unable to import the files provided in the jsp page
org.springframework.security.ui.webapp.AuthenticationProcessingFilter
Could you please let me know which jar file i am missing.
June 3rd, 2010 at 1:08 am
hi please i need to full source code. i don’t understand i hope you send me example.
June 4th, 2010 at 11:38 am
hi guys, i found this article very useful.. i really appreciate your effort. I sovled most of my issues related to spring security but i have few question todo.
Here i have an application which is in struts and i injected spring security into it with different roles. now i am intercepting few url’s and delegating it to the appropraite action. but i want to intercept all the url and forward the control to struts-config to forward it to the appropriate action or jsp. please help me.
thanks
Naseer
June 28th, 2010 at 4:04 am
I would like to do form validation before the login check, if everything goes fine the actual login have to perform. how can i go ahead? can anyone help me?
July 18th, 2010 at 9:34 pm
[...] Shared » 5 Minute Guide to Spring Security – It’s Only Software. [...]
July 22nd, 2010 at 1:52 am
Sample application is not working for me, Tomcat log shows following error
September 3rd, 2010 at 4:27 am
I have a same problem as Murali, if I wanna make the struts validate before the login perform, how to archieve? I try to use redirect after post way but the j_username & j_password cannot be send through post method. Did anyone have solution for this?
September 9th, 2010 at 5:11 am
I am new to the spring security .
I am trying to introduce spring security to my exiting web application. In the existing web application I am having authentication logic and once user authenticate I create HTTP Session and store user details .
Now if I use spring –security as security authentication done by the spring framework where can I create HTTP Session and store my data?
September 24th, 2010 at 1:22 am
hi
very nice explanation , thank you , if u provide output also its better
thank you
October 18th, 2010 at 3:55 am
Hi, I wanna set authentication-provider to jdbc-user-service but I wanna it to be set against Google App Engine DataStore. How to do it? any clue sir?
October 18th, 2010 at 8:07 am
Hi!
I used your guide to build my S. Security configuration, and it works very well, thank you!
However, I am experiencing a problem when I log out user1 and try to log in as user2: I get a viewExpired error after sucessful authentication. I am using JSF 1.2, Richfaces, Spring 2.5.4 and S. Security 2.0.4, all running in a JBOSS AS 4.2.3.
Would you have a clue for me? I believe I am having problem with session management, but I was unable to figure exactly what I have to do. I believe I will have to make a logout filter, but I still do not know what to put inside it.
Thank you!
2Ch
October 29th, 2010 at 4:43 am
Now i am able to authenticate user using database. Now I have few links which is to be restricted to other user except ROLE_ADMIN in jsp, How can i do this Can any one please answer this?
November 5th, 2010 at 10:23 pm
HI,
i wonder in your books is there any explanation if we want to you or over write UserDetailService ??? the above example use jdbcdaoimpl
January 19th, 2011 at 6:53 am
[...] http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/ [...]
January 20th, 2011 at 9:54 am
I wish I have read this before when I was still learning Spring Security. I should have been able to save a lot of time.
Thanks Peter!
March 11th, 2011 at 1:40 am
great work keep on update
March 14th, 2011 at 6:37 am
Great Tutorial…
Where can i find the source code for this?
March 15th, 2011 at 12:52 pm
Hi, I am having issues creating custom login jsp page. I have jsp page posting to Spring controller method. How can I make a login jsp page which will post to spring controller rather than j_spring_security_check as the action j_spring_security_check is needed for spring security?
March 16th, 2011 at 12:26 pm
can someone please help. i am really struggling with this
I am trying to create custom login page using spring security. But its not authenticating the user and i want it to post to my login controller method. How can I make it authenticate?
Please help thanks.
March 21st, 2011 at 8:08 am
anyways i figured out myself. j_spring_security can be filtered by AuthenticationProcessingFilter. Extend this filter class and in there you can do what you want.
March 22nd, 2011 at 4:26 am
Thanks a lot. I got great help in this article.
I have another issue, could you show me your comments?
I add a own login page named ‘login.jsp’. It works.
But when i want to use tag ‘ spring:message ‘ for i18n ,i found it doesn’t work, in same time, other pages works well.
So how can I resolve it?
March 22nd, 2011 at 4:27 am
Thanks a lot. I got great help in this article.
I have another issue, could you show me your comments?
I add a own login page named ‘login.jsp’. It works.
But when i want to use tag ‘spring:message’ for i18n in ‘login.jsp’ ,i found it doesn’t work, in same time, other pages works well.
So how can I resolve it?
March 22nd, 2011 at 5:11 am
@dew, are you sure you have declared the spring taglib at the top of your page? e.g.
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>March 22nd, 2011 at 8:19 pm
@pmularien, thanks for your quickly reply
yes, i’m sure. I also declared spring tag lib
”
following is the exception error msg when I use tag ” in ‘login.jsp’
javax.servlet.ServletException: javax.servlet.jsp.JspTagException: No message found under code ‘betHomeTitle’ for locale ‘zh_CN’.
ps: other jsp pages with tag work well.
March 22nd, 2011 at 8:20 pm
@pmularien, thanks for your quickly reply
yes, i’m sure. I also declared spring tag lib
‘%@ taglib uri=”http://www.springframework.org/tags” prefix=”spring”%’
following is the exception error msg when I use tag ‘spring:message code=”betHomeTitle”‘ in ‘login.jsp’
javax.servlet.ServletException: javax.servlet.jsp.JspTagException: No message found under code ‘betHomeTitle’ for locale ‘zh_CN’.
ps: other jsp pages with spring:message tag work well.
March 31st, 2011 at 2:56 am
[...] Peter Mularien, 5 Minute Guide to Spring Security <http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/> GA_googleAddAttr("AdOpt", "1"); GA_googleAddAttr("Origin", "other"); [...]
April 18th, 2011 at 4:04 am
[...] " 5 Minute Guide to Spring Security – It's Only Software (tags: spring java) [...]
May 10th, 2011 at 12:45 pm
Hello, I am trying to integrate Sprint Security and Struts2. I followed this tutorial but I get the following error:
2011-05-10 19:35:12.149::WARN: failed springSecurityFilterChain
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named ‘springSecurityFilterChain’ is defined
at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:360)
….
Does anyone know how to fix it? Thank you in advance.
June 22nd, 2011 at 10:08 am
Thanks, this way of doing tutorials is so great. One question though, what if I want to put a message that the password or user is empty? . I know, it sound crazy but believe me, people do that kind of stuff. I was thinking on using the authentication-failure-url and Javascript to see that if we had an error in the authentication, and a GET param is send (like ?error=1) , then look if the user leaved empty spaces in the login form, but maybe there is another way to send the real cause for the authentication to not be fullfiled. Like sending error=1 when the user leaves the user empty, 2 when the user leave the password empty, 3 when the password and/or user doesnt match, and so for. Is this possible?
September 27th, 2011 at 10:06 am
Where is the tag “(security:remember-me user-service-ref=”userDetailsService” key=”some_key”/)”
???????????
November 11th, 2011 at 9:42 am
hi,
please help me if there is 200 roles and role mapping are there is there any “too many connections” problem will race ,because we are using jdbctempalte datasource
please help me
December 9th, 2011 at 4:41 am
Thank you for this tutorial regarding how to configure Spring Security. I’ve found it beneficial while integrating Spring Security in one of my projects.
December 10th, 2011 at 9:24 pm
Glad I could help!
February 2nd, 2012 at 11:41 am
[...] all the users in an xml file. So, no need for the database here! I found this code example here. Of course, the passwords are not a big secret when you know that the encryption algorithm is MD5. [...]
February 7th, 2012 at 3:20 am
I’ve read a lot of tutorial during a few days and I just can tell you THANKS for this clear explanation
Really useful!
February 10th, 2012 at 4:12 pm
Where can i download this example?
March 1st, 2012 at 5:47 am
I Did not get a thing. It would be much better if explained what tag does what..? And flow goes from where to where. pls Explain
March 14th, 2012 at 7:44 am
hello
i am new in spring.i try your example but everytime i redirect to authemtication failure-url.Here is my spring-security.xml
<!–
–>
July 12th, 2012 at 1:47 am
» 5 Minute Guide to Spring Security – It’s Only Software…
Thank you for submitting this cool story – Trackback from JavaPins…
August 9th, 2012 at 5:45 am
[...] Security (guide) – looks complete, but every guide I find that combines it with Wicket still calls it Acegi [...]
November 1st, 2012 at 10:21 pm
great tutorial towards spring security keep update.
November 20th, 2012 at 4:45 am
Thanks for manual
February 11th, 2013 at 1:14 pm
Hello Peter, I am stucked with Spring Security and JPA. I don’t know how to reference dataSource because my database is described in persistence.xml.
How can I reference my database? It is some mechanism in order to reference dataSource in element?
Thanks and regards.