Skip to content

Spring Security, Replacing Acegi

Astute readers of my last Acegi article will note that Acegi has been assimilated into the Spring project, and is now called Spring Security. This next example is how I was able to get Spring Security running on my webapp.

I decided early on that I did not want to mess up the other developers on the project any more than I needed to, so I added a securityContext.xml file rather than integrate (what used to be) the reams and reams of configuration required for Acegi. Here is my latest version of Spring Security. This is really simple, but meets the basic needs of the project at this point in development:


<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

	<global-method-security secured-annotations="enabled" />

    <http auto-config="true" access-denied-page="/jsp/accessDenied.jsp">
        <intercept-url pattern="/admin/*.do" access="ROLE_SUPERVISOR"/>
        <intercept-url pattern="/consultant/*.do" access="IS_AUTHENTICATED_REMEMBERED" />
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

    	<intercept-url pattern="/jsp/login.jsp*" filters="none"/>

    	<form-login login-page="/jsp/login.jsp" authentication-failure-url="/jsp/login.jsp?login_error=1"/>

	<logout logout-success-url="/jsp/logout.jsp"/>

    </http>

    <authentication-provider>
        <user-service>
            <user name="joe" password="password" authorities="ROLE_SUPERVISOR, ROLE_USER" />
	    <user name="steve" password="DOC" authorities="ROLE_USER" />
	</user-service>
    </authentication-provider>

Not bad looking at all, especially compared with the old way. But note, this makes use of XML namespaces, and we’re not done yet.

I’m using a beanRefContext.xml that’s referring to both my applicationContext and my securityContext file:


<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

	<bean id="org.reverttoconsole.app.context"
		class="org.springframework.context.support.ClassPathXmlApplicationContext">
		<constructor-arg>
			<list>
				<value>resources/org/reverttoconsole/app/applicationContext.xml</value>
				<value>resources/org/reverttoconsole/app/securityContext_2.0.xml</value>
			</list>
		</constructor-arg>
	</bean>

</beans>

This wires my two contexts up, in order. The applicationContext has no bearing on the security, except that it loads the security namespace, which the securityContext.xml uses:


<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:aop="http://www.springframework.org/schema/aop"
       xmlns:jee="http://www.springframework.org/schema/jee"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd
                           http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd
                           http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-2.0.xsd
                           http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd
                           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

Lastly, the relevant additions to the web.xml file:

   <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

And that’s it!

Note: Recommended reading:
Spring Security Documentation

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
This was written by Jeff. Posted on Thursday, May 1, 2008, at 1:31 pm. Filed under Security, Spring. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback.

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*