Method Security
Spring security also provide the feature of method security i.e. it provides the support for applying access rules to Java method executions. To allow method security, we have to enable method security. Normally, we do it on top level or module level configuration for our app. For a secure method, caller have to go through with the security check first. If caller satisfy the check, method will execute otherwise caller will get AccessDeniedException.
@Service public class TestService { @Secured("ROLE_USER") public String secureMethod() { return "Hello Method Security"; } } |
Spring method security example
Directory Structure
pom.xml file
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>w3schools</groupId> <artifactId>SpringSecurity05</artifactId> <packaging>war</packaging> <version>0.0.1-SNAPSHOT</version> <name>SpringSecurityld Maven Webapp</name> <url>http://maven.apache.org</url> <properties> <spring.version>5.0.2.RELEASE</spring.version> <spring.security.version>5.0.0.RELEASE</spring.security.version> <jstl.version>1.2</jstl.version> </properties> <dependencies> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>3.8.1</version> <scope>test</scope> </dependency> <!-- Spring dependencies --> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>${spring.version}</version> </dependency> <!-- Spring Security --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.security.version}</version> </dependency> <!-- jstl for jsp page --> <dependency> <groupId>jstl</groupId> <artifactId>jstl</artifactId> <version>${jstl.version}</version> </dependency> <!-- Servlet API --> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.1.0</version> <scope>provided</scope> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> <version>3.7.0</version> <configuration> <source>1.8</source> <target>1.8</target> </configuration> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-war-plugin</artifactId> <version>2.6</version> <configuration> <failOnMissingWebXml>false</failOnMissingWebXml> </configuration> </plugin> </plugins> </build> </project> |
AppConfig.java
package com.w3schools.config; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.web.servlet.config.annotation.EnableWebMvc; import org.springframework.web.servlet.view.InternalResourceViewResolver; import org.springframework.web.servlet.view.JstlView; @EnableWebMvc @Configuration @ComponentScan({ "com.w3schools.controller.*" }) public class AppConfig { @Bean public InternalResourceViewResolver viewResolver() { InternalResourceViewResolver viewResolver = new InternalResourceViewResolver(); viewResolver.setViewClass(JstlView.class); viewResolver.setPrefix("/WEB-INF/views/"); viewResolver.setSuffix(".jsp"); return viewResolver; } } |
SecurityConfig.java
Spring security configuration file. It will contains the security configurations. It creates a springSecurityFilterChain which is a servlet filter.
package com.w3schools.config; import org.springframework.context.annotation.*; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.*; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @EnableWebSecurity @ComponentScan("com.w3schools") public class SecurityConfig extends WebSecurityConfigurerAdapter { @Bean public UserDetailsService userDetailsService() { InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager(); manager.createUser(User.withDefaultPasswordEncoder() .username("jai").password("123456").roles("ADMIN").build()); return manager; } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests(). antMatchers("/index","/").permitAll() .antMatchers("/admin").authenticated() .and() .formLogin() .loginPage("/login") .and() .rememberMe() .key("rem-me-key") .rememberMeParameter("remember") //Name of checkbox at login page .rememberMeCookieName("rememberlogin") //Cookie name .tokenValiditySeconds(300) //Remember login credentials for number of seconds .and() .logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")); } } |
SpringSecurityInitializer.java
Now we have to create a class which extends AbstractSecurityWebApplicationInitializer, it will load the springSecurityFilterChain automatically.
package com.w3schools.config.core; import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer; public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer{ } |
SpringMvcInitializer.java
It is initializer class which will load everything.
package com.w3schools.config.core; import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer; import com.w3schools.config.SecurityConfig; public class SpringMvcInitializer extends AbstractAnnotationConfigDispatcherServletInitializer { @Override protected Class<?>[] getRootConfigClasses() { return new Class[] { SecurityConfig.class }; } @Override protected Class<?>[] getServletConfigClasses() { // TODO Auto-generated method stub return null; } @Override protected String[] getServletMappings() { return new String[] { "/" }; } } |
LoginController.java
package com.w3schools.controller; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.servlet.ModelAndView; @SuppressWarnings("unused") @Controller public class LoginController { @RequestMapping(value="/", method=RequestMethod.GET) public String index() { return "index"; } @RequestMapping(value="/login", method=RequestMethod.GET) public String login() { return "login"; } @RequestMapping(value="/admin", method=RequestMethod.GET) public String admin() { return "admin"; } //User with ADMIN role can access this method. @RequestMapping(value="/delete", method=RequestMethod.GET) @ResponseBody @PreAuthorize("hasRole('ROLE_ADMIN')") public String delete() { return "Record Deleted."; } } |
index.jsp file
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> <%@page session="true"%> <html> <body> <h2>Spring MVC + Spring Security</h2> <a href="admin">Login here</a> </body> </html> |
login.jsp file
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> <c:url value="/login" var="loginUrl"/> <form action="${loginUrl}" method="post"> <c:if test="${param.error != null}"> <p> Invalid username and password. </p> </c:if> <c:if test="${param.logout != null}"> <p> You have been logged out. </p> </c:if> <p> <label for="username">Username</label> <input type="text" id="username" name="username"/> </p> <p> <label for="password">Password</label> <input type="password" id="password" name="password"/> </p> <p> <label for="remember"> Remember me</label> <input type="checkbox" name="remember" /> </p> <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> <button type="submit" class="btn">Login</button> </form> |
admin.jsp file
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> <%@page session="true"%> <html> <body> <h2>Spring MVC + Spring Security</h2> <h3>Admin login successfully.</h3> <a href="delete"">Delete Record</a> <a href="logout">Logout</a> </body> </html> |
Run the application on server.
We add spring security on admin page, so when we hit http://localhost:8080/SpringSecurity05/. Browser will open index page.
Click on Login here link. Custom login page will open. Enter credentials, check the Remember me check box and click on login
Successfully login
Click on Delete Record link
Note : User with ADMIN role only can delete the record because we implement method level security.