Basic configuration of Spring Security 3

In this post I write about a basic configuration of Spring Security 3, the Spring framework for authentication and authorization of the users.
In this example there is only one user trying to access to index.html and he is redirected to the standard login page for authentication.
In this project I use and configure maven and log4j too.

  1. create the project SpringSecurity
  2. create the file pom.xml

    In the section “properties” I set the versions of the dependencies; in the comments you read the name of the dependencies: the first part covers the Spring Framework, followed by Log4j for log management, Spring Security for authentication and authorization of the users, jstl or java standard tag library to use the tag “c” (for example <c:if>) and spring security tags to use the tag “sec” (for example <sec:authorize>);
    alternatively you can copy the following files. jar in the directory WEB-INF/lib

    • spring-core-3.1.1.RELEASE.jar
    • spring-asm-3.1.1.RELEASE.jar
    • commons-logging-1.1.1.jar
    • spring-expression-3.1.1.RELEASE.jar
    • spring-beans-3.1.1.RELEASE.jar
    • spring-aop-3.1.1.RELEASE.jar
    • aopalliance-1.0.jar
    • spring-context-3.1.1.RELEASE.jar
    • spring-context-support-3.1.1.RELEASE.jar
    • spring-tx-3.1.1.RELEASE.jar
    • spring-jdbc-3.1.1.RELEASE.jar
    • spring-orm-3.1.1.RELEASE.jar
    • spring-oxm-3.1.1.RELEASE.jar
    • commons-lang-2.5.jar
    • spring-web-3.1.1.RELEASE.jar
    • spring-webmvc-3.1.1.RELEASE.jar
    • spring-webmvc-portlet-3.1.1.RELEASE.jar
    • spring-test-3.1.1.RELEASE.jar
    • log4j-1.2.17.jar
    • spring-security-core-3.1.1.RELEASE.jar
    • spring-security-web-3.1.1.RELEASE.jar
    • spring-security-config-3.1.1.RELEASE.jar
    • jstl-1.2.jar
    • spring-security-taglibs-3.1.1.RELEASE.jar
    • spring-security-acl-3.1.1.RELEASE.jar
  3. create the file WEB-INF/web.xml

    You can see the reference to /WEB-INF/spring-security.xml and the sections “filter” and “filter-mapping” to configure Spring Security
  4. create the file WEB-INF/SpringSecurity-servlet.xml
  5. create the file WEB-INF/log4j.xml
  6. create the file WEB-INF/spring-security.xml

    The password is encrypted using Scala
    I write the procedure to get the encrypted password:

    • download spring-security-core-*.jar (for example spring-security-core-3.1.1.RELEASE.jar) in the last release of Spring Security
    • install Scala
    • open a console and type:

      where [your path] è is the path to spring-security-core-3.1.1.RELEASE .jar
      (the output should be:
      Welcome to Scala version 2.9.1.r0-b20120114224707 (Java HotSpot(TM) 64-Bit Server VM, Java 1.7.0_05).
      Type in expressions to have them evaluated.
      Type :help for more information.
      )
    • type:

      Output:
      encoder: org.springframework.security.crypto.password.StandardPasswordEncoder = org.springframework.security.crypto.password.StandardPasswordEncoder@448d5117
    • type:

      Output:
      res0: java.lang.String = 20331ba9c4935517ab16f0052097b0d79f40f0a54a1a025ec742a308e8564757e021797bf7185332
      the sequence of charachters after “res0: java.lang.String =” is just the encrypted password in the file spring-security.xml
  7. create the file WEB-INF/views/index.jsp

    I set the variables ${message} and ${username} in LoginController.java; the button is just a link to /j_spring_security_logout and allows the user to log out
  8. create the file WEB-INF/classes/eu/lucazanini/springsecurity/LoginController.java
  9. launch the application (type “user” and “spring”)

References:
Spring Security

6 Replies to “Basic configuration of Spring Security 3”

  1. Thanks for the tutorial!

    May I ask why not use
    encoder = new org.springframework.security.crypto.password.StandardPasswordEncoder;
    encoder.encode(“spring”);

    directly in java , but instead install scala to call the above?

    1. I need the encrypted password to put in xml file.
      This is the only reason I use Scala, but you can use a standalone java program if you want.

      1. I do see the output from scala+StandardPasswordEncoder is different from java StandardPasswordEncoder, I am confused, since when the web application runs it just needs StandardPasswordEncoder to encode the user submitted password.

        1. The encode method returns a different output every time even if you use the same password.
          See this
          A standard PasswordEncoder implementation that uses SHA-256 hashing with 1024 iterations and a random 8-byte random salt value

  2. Nice for starting, I was trying to find a simple example to understand the basic configuration. Thanks a lot!!
    Can you provide, if it is possible an example with a CAS server…….
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.