Spring Security Authorized Access Using Custom Login Form


 

Spring Security Authorized Access Using Custom Login Form

In this section, you will learn about authorized access using custom login form in Spring Security.

In this section, you will learn about authorized access using custom login form in Spring Security.

Spring Security Authorized Access Using Custom Login Form

In this section, you will learn about  authorized access using custom login form in Spring Security.

Sometimes you need to secure your page from unauthorized access. Authorized access is the secure access of page through a permitted username and password. For example, the admin section page can only have permission for admin only.

EXAMPLE

In the below example, we will ensure secure and authorized URL access by providing  customized Login form using Spring Security. User needs to provide correct login credential to view the page. For accessing admin section, you need to provide admin login and password. While for user section, both admin and user login are permitted.

For Spring Security authorized access using auto generated login form. Click Here.

The tools and technologies used in the below example is given below :

  • jdk1.6.0_18

  • apache-tomcat-6.0.29

  • Eclipse 3.5.1

  • Spring 3.0.5.RELEASE

  • Spring Security 3.0.5.RELEASE

You can implement user authentication using customized login(in spring-security.xml ) as follows :

<http auto-config="true">
	<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
	<intercept-url pattern="/index*" access="ROLE_USER,ROLE_ADMIN" />
	<form-login login-page="/login" authentication-failure-url="/failLogin" />
	<logout logout-success-url="/logoff" />
</http>

It means the user with authority as ROLE_ADMIN can have access to URL /admin . Also, the URL /index is open for both type of users having authority ROLE_USER or ROLE_ADMIN .

The project structure and jar file used is given below :

CODE

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>SpringSecurityAuthorizedAccessCustomLogin</display-name>
<servlet>
<servlet-name>Dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/Dispatcher-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

<http auto-config="true">
<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
<intercept-url pattern="/index*" access="ROLE_USER,ROLE_ADMIN" />
<form-login login-page="/login" default-target-url="/index" authentication-failure-url="/failLogin" />
<logout logout-success-url="/logoff" />
</http>

<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="roseindia" authorities="ROLE_USER"/>
<user name="admin" password="deepak" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>

</beans:beans>

Dispatcher-servlet.xml

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context 
http://www.springframework.org/schema/context/spring-context-3.0.xsd">

<context:component-scan base-package="net.roseindia" />

<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/views/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>

<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basenames">
<list>
<value>LoginMsg</value>
</list>
</property>
</bean>

</beans>

LoginController.java

package net.roseindia;

import java.security.Principal;

import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
public class LoginController {
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String welcomeAdmin(ModelMap model, Principal principal) {
String username = principal.getName();
model.addAttribute("user", username);
model.addAttribute("msg", "Spring Security - ADMIN PAGE");
return "welcome";

}
@RequestMapping(value = "/index", method = RequestMethod.GET)
public String printMessage(ModelMap model, Principal principal) {

String username = principal.getName();
model.addAttribute("user", username);
model.addAttribute("msg", "Spring Security Custom Login Form");
return "welcome";

}

@RequestMapping(value = "/login", method = RequestMethod.GET)
public String login(ModelMap model) {

return "login";

}

@RequestMapping(value = "/failLogin", method = RequestMethod.GET)
public String failedLogin(ModelMap model) {

model.addAttribute("error", "true");
return "login";

}

@RequestMapping(value = "/logoff", method = RequestMethod.GET)
public String logoff(ModelMap model) {

return "login";

}
}

LoginMsg.properties

AbstractUserDetailsAuthenticationProvider.badCredentials=Wrong username\ /\ password

login.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Login Page</title>
<style>
.errorblock {
color: #ff0000;
background-color: #ffEEEE;
border: 3px solid #ff0000;
padding: 8px;
margin: 16px;
}
</style>
</head>
<body onload='document.f.j_username.focus();'>
<h3>Login with Username and Password (Custom Page)</h3>

<c:if test="${not empty error}">
<div class="errorblock">
Login error : Please try again.<br />Root Cause:
${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
</div>
</c:if>

<form name='f' action="<c:url value='j_spring_security_check' />"
method='POST'>

<table>
<tr>
<td>User:</td>
<td><input type='text' name='j_username' value=''>
</td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='j_password' />
</td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit"
value="submit" />
</td>
</tr>
<tr>
<td colspan='2'><input name="reset" type="reset" />
</td>
</tr>
</table>

</form>
</body>
</html>

welcome.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
<h3>${msg}</h3> 
<h3>Username : ${user}</h3> 

<a href="<c:url value="/j_spring_security_logout" />" > Logoff</a>

</body>
</html>

OUTPUT

When you try to access the below URL :

http://localhost:9090/SpringSecurityAuthorizedAccessCustomLogin/admin

You will get the following page(admin login) :

If you provide correct login(username: admin , password: deepak), you will get the following page :

If you try to login with a user login credential (username: user, password : roseindia), you will get the following error page :

Download Source Code

Ads