Spring Security 3.x Cookbook

Spring Security 3.x Cookbook

By : Anjana Mankale

Buy this Book

Spring Security 3.x Cookbook

By: Anjana Mankale

Buy this Book

Overview of this book

Web applications are exposed to a variety of threats and vulnerabilities at the authentication, authorization, service, and domain object levels. Spring Security can help secure these applications against those threats. Spring Security is a popular application security solution for Java applications. It is widely used to secure standalone web applications, portlets, and increasingly REST applications. It is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications and it is currently used to secure numerous demanding environments including government agencies, military applications, and central banks. "Spring Security 3.x Cookbook" is a repository of recipes to help you successfully secure web applications against threats and vulnerabilities at the authentication and session level layers using the Spring Security framework. We will not only explore Spring-based web applications, but also Java-based and Grails-based applications that can use Spring Security as their security framework. Apart from conventional web applications, we will also look at securing portlets, RESTful web service applications, and other non-web applications. This book will also take you through how to integrate Spring Security with other popular web frameworks/technologies such as Vaadin, EJB, and GWT. In addition to testing and debugging the implemented security measures, this book will also delve into finer aspects of Spring Security implementation such as how it deals with concurrency, multitenancy, and customization, and we will even show you how to disable it. This book gives you an overview of Spring Security and its implementation with various frameworks. It starts with container-based authentication before taking you on a tour of the main features of Spring Security. It demonstrates security concepts like BASIC, FORM, and DIGEST authentication and shows you how to integrate the Spring Security framework with various frameworks like JSF, struts2, Vaadin, and more. The book also demonstrates how to utilize container managed security without JAAS. Then, we move on to setting up a struts2 application before showing you how to integrate Spring Security with other frameworks like JSF, Groovy, Wicket, GWT, and Vaadin respectively. This book will serve as a highly practical guide and will give you confidence when it comes to applying security to your applications. It's packed with simple examples which show off each concept of Spring Security and which help you learn how it can be integrated with various frameworks.

Spring Security 3.x Cookbook

Credits

About the Author

About the Reviewers

www.PacktPub.com

Preface

Free Chapter

Basic Security

Introduction

JAAS-based security authentication on JSPs

JAAS-based security authentication on servlet

Container-based basic authentication on servlet

Form-based authentication on servlet

Form-based authentication with open LDAP and servlet

Hashing/Digest authentication on servlet

Basic authentication for JAX-WS and JAX-RS

Enabling and disabling the file listing

Spring Security with Struts 2

Introduction

Integrating Struts 2 with Spring Security

Struts 2 application with basic Spring Security

Using Struts 2 with digest/hashing-based Spring Security

Using Spring Security logout with Struts 2

Authenticating databases with Struts 2 and Spring Security

Getting the logged-in user info in Struts 2 with Spring Security

Displaying custom error messages in Struts 2 for authentication failure

Authenticating with ApacheDS with Spring Security and Struts 2 application

Spring Security with JSF

Introduction

Integrating JSF with Spring Security

JSF with form-based Spring Security

JSF and form-based authentication using Spring Security to display logged-in user

Using JSF with digest/hashing-based Spring Security

Logging out with JSF using Spring Security

Authenticating database with Spring Security and JSF

ApacheDS authentication with JSF and Spring Security

Authentication error message with JSF and Spring Security

Spring Security with Grails

Introduction

Spring Security authentication with Groovy Grails setup

Spring Security with Grails to secure Grails controller

Spring Security authentication with Groovy Grails logout scenario

Spring Security with Groovy Grails Basic authentication

Spring Security with Groovy Grails Digest authentication

Spring Security with Groovy Grails multiple authentication

Spring Security with Groovy Grails LDAP authentication

Spring Security with GWT

Introduction

Spring Security with GWT authentication using Spring Security Beans

Form-based authentication with GWT and Spring Security

Basic authentication with GWT and Spring Security

Digest authentication with GWT and Spring Security

Database authentication with GWT and Spring Security

LDAP authentication with GWT and Spring Security

Spring Security with Vaadin

Introduction

Spring Security with Vaadin – basic authentication

Spring Security with Vaadin – Spring form-based authentication

Spring Security with Vaadin – customized JSP form-based authentication

Spring Security with Vaadin – using Vaadin form

Spring Security with Wicket

Introduction

Spring Security with Wicket – basic database authentication

Spring Security with Wicket – Spring form-based database authentication

Spring Security with Wicket – customized JSP form-based database authentication

Spring authentication with Wicket authorization

Multitenancy using Wicket and Spring Security

Spring Security with ORM and NoSQL DB

Introduction

Spring Security with Hibernate using @preAuthorize annotation

Spring Security with Hibernate using authentication provider with @preAuthorize annotation

Spring Security with Hibernate using UserDetailsService with Derby database

Spring Security with MongoDB

Spring Security with Spring Social

Introduction

Spring Security with Spring Social to access Facebook

Spring Security with Spring Social to access Twitter

Spring Security with multiple authentication providers

Spring Security with OAuth

Spring Security with Spring Web Services

Introduction

Applying Spring Security on RESTful web services

Spring Security for Spring RESTful web service using the cURL tool

Integrating Spring Security with Apache CXF RESTful web service

Integrating Spring Security with Apache CXF SOAP based web service

Integrating Spring Security with Apache Camel

Form-based authentication on servlet

In the previous sections, we demonstrated the basic authentication on servlets and JSPs. Now let's use form-based authentication on servlets.

Getting ready

Let's apply form-based authentication on servlet. You will need a simple web application with a servlet, a web container to handle the authentication, and the web.xml file that tells the container what to authenticate.

How to do it...

Let's see some simple steps for implementing form-based authentication on servlets:

Create a JSP file named Containerform.jsp:

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<form method="POST" action="j_security_check">
Username:<input type="text" name="j_username">
password:<input type="password" name="j_password">
<input type=submit>
</form>
</body>
</html>

What do you observe in the previous code?

action=j_security_check is the default URL, which is recognized by the web container. It tells the container that it has the user credentials to be authenticated.

Now, edit the web.xml file:

<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
    <form-login-page>/Containerform.jsp</form-login-page>
    <form-error-page>/logoff.jsp</form-error-page>
  </form-login-config>
</login-config>

Build the project and export the .war files to JBoss.

How it works...

The previous example demonstrated the Form-based authentication. The J2EE container reads the web.xml file, the <auth-method> tag has the form attribute set. Then it further looks for the login.jsp file, which needs to be displayed to do form-based authentication. The <form-error-page> and <form-login-page> has the login file name and the error page that needs to be displayed on authentication failure. When the user tries to access the secured resource, the J2EE container redirects the request to the login page. The user credentials are submitted to j_security_check action. This action is identified by the container and does the authentication and authorization; on success the user is redirected to the secured resource and on failure the error page shows up.

The following are the screenshots of the workflow which shows the login page for the user and displays the user information on successful authentication:

Spring Security 3.x Cookbook

By : Anjana Mankale

Spring Security 3.x Cookbook

By: Anjana Mankale

Overview of this book

Related Content you might be interested in

Current Title:

Spring Security 3.x Cookbook

Form-based authentication on servlet

Getting ready

How to do it...

How it works...

See also