5

I am learning Spring and trying to implement Springs Security. I am not able to understand how it works. I read tutorials from which I understood the following:

  1. we have to configure web.xml for delegating proxy and pattern
  2. we need to add intercepts to dispatcher-servlet.xml

When request is made it triggers intercepts but after that I am unable to understand how it works. It would be helpful if somebody could provide a list of steps to be followed. I am using Hibernate and Spring (both with annotations), I want to authenticate users using Hibernate.

kryger
13.2k8 gold badges47 silver badges68 bronze badges
asked Mar 18, 2014 at 15:41
12
  • 1
    Check this java2practice.com/2013/07/22/… Commented Mar 18, 2014 at 16:06
  • Welcome @igniter, keep checking my blog. Thanks..!! Commented Mar 19, 2014 at 15:42
  • methods used at line 33 and 34 (getUserRoles and getRoleName) in userDetailsServiceImpl are not present anywhere. how r u calling those methods? Commented Mar 19, 2014 at 16:05
  • You can find getUserRoles presents User.java and getRoleName presents in Role.java Commented Mar 19, 2014 at 17:01
  • i have created POJOs with POJO creation wizard for user, user_role and role table but there is not method to getUserRole method in User.java as you have in your code. Commented Mar 19, 2014 at 17:14

4 Answers 4

11

A detailed article can be found here: Code Project
Or a tutorial with MVC and Spring Security here.

I tried to illustrate the process a little bit: enter image description here

  1. The user sends a HTTP-Request to the server
  2. The server processes the request according to the web.xml
  3. The web.xml contains a filter (AKA interceptor) and passes the request through this filter.
  4. Because the user is unknown/not authenticated, Spring Security does its best to get more details.
    Depending on the config, it
    • sends an HTTP header, so that a login popup pops up in the browser (client side).
    • redirects to a form where you can enter username and password.
    • does a lot of hidden interaction between server and browser to guarantee a "Single-Sign-On" (SSO)
  5. Except for SSO the user enters her/his/its credentials and create an additional request.
  6. Spring Security realizes the login attempt and authenticates the user against a
    • file with user and passwords
    • a built-in XML structure in a spring config file
    • a database
    • an LDAP
  7. When the access is granted, it assignes the necessary roles...
  8. ...and redirects to hard-coded "home page". (Spring Security let's you adjust this behaviour.)
  9. In your application you can check the authorization for certain actions
  10. .....
  11. The user clicks on "logout" or the session expires. With the next request the process starts again.

Annotations

I found a tutorial here (Link).

I understood/assume the following facts:

  • The filters still must be defined in the web.xml.
  • You can annotate your classes/methods with
    • @Controller (API)
    • @Secured (API)
    • @RequestMapping (API)

I admit that I only gave you a rough overview, because your question is not that specific.

Please let me know what you want to learn in detail (re-recognize users, authenticate against different resources, do a SSO, create a secured area on your webpage,...)

answered Mar 18, 2014 at 16:11
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks for explanation @Markus. I will try some code then i will ask if needed.
Hey @Markus, can you please tell me how can we do this with annotations?
@igniter: I extended my post with a section about annotations. Let me know if I should add more details.
you explanation is really very good @Markus. Thank you very much. I would like to learn other things you mentioned at the end.
0

Spring uses a dispatcher servlet for delegating the request. Spring security filters the request and checks if a valid security context is established. If so the request is passed to the dispatcher and it passes the request forward to the corresponding controller. If no security context is established, Spring security intercepts the request which means he could manipulate the request before the diespatcher servlet could process it. During this interception the request dispatcher (Servlet Specification) will be assigned to forward the request to a login page.

answered Mar 18, 2014 at 16:18

Comments

0

I think you don't have to bother with xml anymore. Now you can use Spring Boot + annotation based configuration. One of the best tutorial I found is this one: A good spring security tutorial

answered Aug 7, 2015 at 20:03

Comments

0
answered Mar 3, 2016 at 14:35

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.