Hello Spring 3 Security with Netbeans – Role Based Method Protection

This tutorial will outline in simple steps how to do the following:

  1. Create Spring 3 Web MVC project using Netbeans
  2. Introduce Spring Security measures
  3. Limit @Controller method invocation to certain User-Role’s using Annotations
  4. Roles and users are defined within XML configurations.
  5. The full source code is available for download here

(This project does not use Maven. Details of required jar files are below.)

Spring Project Setup using Netbeans

Create a new Web project using Netbeans.

Resist the temptation to add the Spring Framework when asked to include frameworks. (The Netbeans plugin used for this as per Netbeans 7.1.1 is suited for Spring 2.5 and is hence somewhat mis leading for Spring 3. For more on this please see this tutorial)

Create a folder called jsp within the WEB-INF folder.

Move the default index.jsp file into this new ‘jsp’ folder (by dragging and dropping)

Add the following jar files to your project by right clicking ‘Libraries’ directory and choosing ‘Add Jar/Folder’

Add the Application Context file. To do this, create a new xml file called ApplicationContext.xml in the WEB-INF folder. The contents of this files is as so:

 

Add the spring dispatcher servlet info. To do this, create a file called dispatcher-servlet.xml in the WEB-INF folder. The contents of this file is as so:

 

Create the web.xml file. The contents of this file is as so:

Note that the <context-param> <param-value> points to /WEB-INF/applicationContext.xml. We will modify this file later to include the security configurations.

Note that the <welcome-file> value of ‘/’ will be matched in a method level RequestMapping within the @Controller.

Lastly, we need to introduce an @Controller.

Create a normal .Java file called DefaultController in package: com.outbottle.springsecurityexample.controllers

 

 

Now run this application to ensure everything is working so far.

SpringSecurity Tutorial with Netbeans
Spring 3 WEB MVC with Netbeans

 

Introducing Method invocation Security

Firstly, we need to create a configuration xml file which will introduce the security features to our application.

Create a new file in the WEB-INF folder called spring-security.xml:

The different configurations within spring-security.xml are explained in the comments.

Note that the <security:form-login /> and <security:logout /> tags can take attributes specifying login and logout pages along with other stuff. Leaving them empty as so however actually results in a default login form available at this url: /spring_security_login and a default logout URL of: /j_spring_security_logout

Excluding CSS and JS paths from the security filter

In web.xml, reference the spring-security.xml file just created as so:

Add this filter to web.xml:

/* means that this filter is applied to all URL’s

The security file realises two things. 1) there are two Roles namely ROLE_USER and ROLE_ADMIN. 2)There is an access denied page at /accessdenied which results when an access denied event occurs. However, as noted below, this does require a corresponding controller method.

Towards that end, it’s necessary to create the accessdenied.jsp page in /WEB-INF/jsp/

A corresponding controller method is required for this. (Note that this method is like any normal @Controller method in that ModelMap and HtpServletRequest and many more can be passed in with parameter annotations etc.)

 

Now, let’s create a controller method which only users with ROLE_ADMIN can access.

To test we need to add some links to the index page so as follows:

The <sec: tags in this case are self explanatory.

Note the addition of  <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

The login and logout links are probably not so self explanatory so here’s the spiel:

Because, in our spring-security.xml file we declared empty

<security:form-login /> and <security:logout /> tags, these links are the default. They link to @Controller methods within the Spring Security code itself.

So, test the application as follows:

  1. Click the ‘Admin Page’ link while logged out. Note that you’re required to login first.
  2. Login as jane/user first and observe that you are directed to the access denied page via the controller.
  3. Logout.
  4. Click the ‘Admin Page’ link again, this time login as john/admin. Note that this time you are automatically brought to the initially requested page, access is granted.

The official Spring Security documentation is here:

As ever, I’m always open to comments and questions.

Thanks

Appendix A – Source Code

Appendix B – Jar files

General
aopalliance-1.0.jar
asm-3.3.1.jar
cglib-2.2.jar (Note that cglib-2.2.2.jar was not compatible in this instance)
commons-logging-1.1.1.jar
jstl-1.2.jar

Spring and Spring Web MVC standard
org.springframework.aop-3.1.1.RELEASE.jar
org.springframework.asm-3.1.1.RELEASE.jar
org.springframework.aspects-3.1.1.RELEASE.jar
org.springframework.beans-3.1.1.RELEASE.jar
org.springframework.context-3.1.1.RELEASE.jar
org.springframework.context.support-3.1.1.RELEASE.jar
org.springframework.core-3.1.1.RELEASE.jar
org.springframework.expression-3.1.1.RELEASE.jar
org.springframework.instrument-3.1.1.RELEASE.jar
org.springframework.instrument.tomcat-3.1.1.RELEASE.jar
org.springframework.jdbc-3.1.1.RELEASE.jar
org.springframework.jms-3.1.1.RELEASE.jar
org.springframework.orm-3.1.1.RELEASE.jar
org.springframework.oxm-3.1.1.RELEASE.jar
org.springframework.test-3.1.1.RELEASE.jar
org.springframework.transaction-3.1.1.RELEASE.jar
org.springframework.web-3.1.1.RELEASE.jar
org.springframework.web.portlet-3.1.1.RELEASE.jar
org.springframework.web.servlet-3.1.1.RELEASE.jar
org.springframework.web.struts-3.1.1.RELEASE.jar

Spring Security Standard
spring-security-acl-3.1.0.RELEASE-sources.jar
spring-security-acl-3.1.0.RELEASE.jar
spring-security-aspects-3.1.0.RELEASE-sources.jar
spring-security-aspects-3.1.0.RELEASE.jar
spring-security-cas-3.1.0.RELEASE-sources.jar
spring-security-cas-3.1.0.RELEASE.jar
spring-security-config-3.1.0.RELEASE-sources.jar
spring-security-config-3.1.0.RELEASE.jar
spring-security-core-3.1.0.RELEASE-sources.jar
spring-security-core-3.1.0.RELEASE.jar
spring-security-crypto-3.1.0.RELEASE-sources.jar
spring-security-crypto-3.1.0.RELEASE.jar
spring-security-ldap-3.1.0.RELEASE-sources.jar
spring-security-ldap-3.1.0.RELEASE.jar
spring-security-openid-3.1.0.RELEASE-sources.jar
spring-security-openid-3.1.0.RELEASE.jar
spring-security-remoting-3.1.0.RELEASE-sources.jar
spring-security-remoting-3.1.0.RELEASE.jar
spring-security-taglibs-3.1.0.RELEASE-sources.jar
spring-security-taglibs-3.1.0.RELEASE.jar
spring-security-web-3.1.0.RELEASE-sources.jar
spring-security-web-3.1.0.RELEASE.jar

References

Willie Wheeler: http://springinpractice.com/2010/07/06/spring-security-database-schemas-for-mysql/

 

10 Comments