My new shiny web application is fantastically useful, but only to a certain group of people (i.e. my team), and should only be accessible by them.
So, before being able to put it into real production, I needed a security framework around it.
A legacy JAAS component of ours exists, but given my application was making use of the Spring framework, I compared Spring's offering to the JAAS infrastructure.
Popular opinion seems to be that JAAS was build for J2SE, not J2EE, and is designed for things at a much 'lower level' than web applications, such as client-side applets rather than server-side applications.
Maven
First things first: Maven dependencies.
I'm using spring-webmvc 2.5.6, so I'd like to get security working with the
application as it stands now - the latest pre-3.0 release of spring-security
is 2.0.6-RELEASE:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aspects</artifactId>
<version>2.5.6</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>2.0.6.RELEASE</version>
</dependency>Web Context
The web context requires two things:
- Context location
<context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/applicationContext.xml /WEB-INF/applicationContext-security.xml </param-value> </context-param>(we'll create the security context in the next step)
- Filter definition
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>The url-pattern will mean all requests pass through the filter (which will have more explicit criteria).
Security Context
Now we get to the real meat of the security layer!
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<http auto-config="true">
<intercept-url pattern="/**" access="ROLE_USER" />
<http-basic />
</http>
<authentication-provider>
<password-encoder hash="md5"/>
<user-service>
<user name="user"
password="aabbccddeeff001122334455667788ff"
authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</beans:beans>Here we can see the configuration for http requests. The 'auto-config' sets
the defaults (refer to the doco in the references), which are overridden by
the contents of the tag. We'll let in one user for now with the role
'ROLE_USER', defined in the authentication-provider section.
Including http-basic just puts the preference on using the basic HTTP
prompt, but removing that line would use Spring's default login page (with
user/pass and 'remember me' checkbox).
And its done! Deploying the application and loading the page demands a login before progressing.
Next
Future improvements might involve setting up a styled login page, hooking up an LDAP connection (but with restrictions). Oh, and Selenium tests..!
References
- Spring Source, Spring Security Reference Documentation http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ns-config.htm
- Peter Mularien, 5 Minute Guide to Spring Security http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/