My new shiny web application is fantastically useful, but only to a certain group of people (i.e. my team), and should only be accessible by them.
So, before being able to put it into real production, I needed a security framework around it.
A legacy JAAS component of ours exists, but given my application was making use of the Spring framework, I compared Spring's offering to the JAAS infrastructure.
Popular opinion seems to be that JAAS was build for J2SE, not J2EE, and is designed for things at a much 'lower level' than web applications, such as client-side applets rather than server-side applications.
First things first: Maven dependencies.
spring-webmvc 2.5.6, so I'd like to get security working with the
application as it stands now - the latest pre-3.0 release of spring-security
The web context requires two things:
- Context location
(we'll create the security context in the next step)
- Filter definition
The url-pattern will mean all requests pass through the filter (which will have more explicit criteria).
Now we get to the real meat of the security layer!
Here we can see the configuration for http requests. The 'auto-config' sets
the defaults (refer to the doco in the references), which are overridden by
the contents of the tag. We'll let in one user for now with the role
'ROLE_USER', defined in the
http-basic just puts the preference on using the basic HTTP
prompt, but removing that line would use Spring's default login page (with
user/pass and 'remember me' checkbox).
And its done! Deploying the application and loading the page demands a login before progressing.
Future improvements might involve setting up a styled login page, hooking up an LDAP connection (but with restrictions). Oh, and Selenium tests..!
- Spring Source, Spring Security Reference Documentation http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ns-config.htm
- Peter Mularien, 5 Minute Guide to Spring Security http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/