Labels

.NET Job Questions About Java Absract class Abstract class Abstract Class and Interface Aggregation ajax aop apache ofbiz Apache ofbiz tutrial Association authentication autocad basics batch Binary Tree bootstrap loader in java build Builder design pattern C++ Job Questions caching CallableStatement in java certifications Chain of responsibility Design pattern charts check parentheses in a string Classes classloader in java classloading concept code quality collage level java program Composition concurrency Concurrency Tutorial Converting InputStream to String Core Java core java concept core java interview questions Core Java Interview Questions Core Java Questions core java tutorial CyclicBarrier in Java data structures database Database Job Questions datetime in c# DB Db2 SQL Replication deserialization in java Design Patterns designpatterns Downloads dtd Eclipse ejb example/sample code exception handling in core java file handling injava File I/O vs Memory-Mapped Filter first program in spring flex Garbage Collection Generics concept in java grails groovy and grails Guice Heap hibernate Hibernate Interview Questions how-to IBM DB2 IBM DB2 Tutorial ide immutable Interceptor Interface interview Interview Questions for Advanced JAVA investment bank j2ee java JAVA Code Examples Java 7 java changes java class loading JAVA Classes and Objects Java Classloader concept Java classloading concept java cloning concept java collection Java collection interview questions Java Collections java concurrency Java CountDownLatch java definiton Java design pattern Java EE 5 Java EE 6 Java Exceptions Java file Java Garbage Collection Java generics Java Glossary java hot concept java immutable concept Java Interface Java interview Question java interview question 2012 java interview question answer Java Interview Questions Java Interview Questions and Answers java interview topic java investment bank Java Job Questions java multithreading java multithreading concept java new features Java Packages java proxy object java questions Java Serialization Java serialization concept java serialization interview question java session concept java string Java Swings Questions java synchronization java threading Java Threads Questions java tutorial java util; java collections; java questions java volatile java volatile interview question Java Wrapper Classes java.java1.5 java.lang.ClassCastException JavaNotes javascript JAX-WS jdbc JDBC JDBC Database connection jdk 1.5 features JDK 1.5 new features Concurrent HashMap JMS interview question JMS tutorial job JSESSIONID concept JSESSIONID interview Question JSF jsp JSP Interview Question JSP taglib JSTL with JSP Junit Junit Concept Junit interview question.Best Practices to write JUnit test cases in Java JVM Linux - Unix tutorial Marker Interfaces MD5 encryption and decryption messaging MNC software java interview question musix NCR java interview question Networking Job Questions news Object Serialization Objects ojdbc14.jar OOP Oracle Oracle SQL Query for two timestamp difference orm own JavaScript function call in Apache ofbiz Packages Palm Apps patterns pdf persistence Portal Portlet Spring Integration Prime number test in java programs Rails Reboot remote computers REST Ruby Sample application schema SCJP security Senior java developer interviews servlet3 servlets session tracking singleton design pattern Spring Spring 2.5 Framework spring ebook Spring framework concept spring MVC spring pdf Spring Security Spring Security interview questions SQL SQL performance SQL Query to create xml file Sql Query tuning ssis and ssrs StAX and XML string concept string immutable string in java strings struts Struts2 Struts2 integration synchronization works in java Technical Interview testing tips Tomcat top Tutorial Volatile in deep Volatile working concept web Web Developer Job Questions web services weblogic Weblogic Application Server websphere what is JSESSIONID xml XML parsing in java XML with Java xslt


Sunday, 28 July 2013

Spring Security with Acegi Security

Acegi Security provides a comprehensive security solution for J2EE-based enterprise software applications, built using the Spring Framework. Acegi provides authentication service through the use of a web filter, an AuthenticationProvider and an AuthenticationEntryPoint. Authorization in Acegi can be done at different levels: authorizing web requests, authorizing which methods can be invoked, and authorizing access to individual domain object instances. In this example I will describe how to implement form-based authentication and URL level authorization using Acegi.
For this example, I use two secure JSPs, the secure/authenticatedusers.jsp file is available to all the authenticated users, and secure/admin/admin.jsp is only available to the users with ADMIN role. The login.jsp is used for login and denied.jsp is used to redirect unauthorized users. Follow these steps to run the example:
  1. Download Acegi and Spring.
  2. Start with a dynamic web project in eclipse.
  3. Copy the following Jar files into the WEB-INF/lib directory.
    acegi-security-1.0.3.jarMain classes of the Acegi security system.
    commons-codec-1.3.jarEncoders and decoders such as Base64, Hex, Phonetic and URLs.
    ehcache-1.2.3.jarUsed by the authentication provider.
    jstl.jar, standard.jarThe JSTL tag library
    spring.jarSpring framework
    commons-logging.jar, cglib-nodep-2.1_3.jarAvailable in the spring download (spring with dependencies)
  4. Create the Login page: The following is a listing for the login page.
    <jsp:root version="1.2" xmlns:jsp="http://java.sun.com/JSP/Page"
    xmlns:c="urn:jsptld:http://java.sun.com/jsp/jstl/core">
    <jsp:directive.page contentType="text/html; charset=UTF-8" />
    <jsp:directive.page
      import="org.acegisecurity.ui.AbstractProcessingFilter, org.acegisecurity.ui.webapp.AuthenticationProcessingFilter, org.acegisecurity.AuthenticationException" />
    <head>
    <title>Login</title>
    </head>
    <body>
    <form action="j_acegi_security_check" method="POST">
      <table>
        <tr>
          <td>User:</td>
            </td><input type='text' name='j_username' />
          </td>
        </tr>
        <tr>
          <td>Password:</td>
          <td><input type='password' name='j_password' /></td>
        </tr>
        <tr>
          <td><input type="checkbox" name="_acegi_security_remember_me" /></td>
          <td>Remember me (14 days)</td>
        </tr>
        <tr><td colspan='2'><input name="submit" type="submit" /></td></tr>
        <tr><td colspan='2'><input name="reset" type="reset" /></td></tr>
      </table>
    </form>
    </body>
    </jsp:root>
    login.jsp

    Notes:
    • The login form uses j_acegi_security_check instead of j_security_check normally used for form-based authentication. Similarly for logout, we use j_acegi_logout action.
    • In order to remember a user for a period of time, use the _acegi_security_remember_me attribute. This is configured in the applicatonContext.xml file(see below).
  5. Create the other JSP files: The listings for the JSP pages used for this example are shown below, along with their respective directories.
    <html>
    <body>
    Everyone
    <p><a href="secure/authenticatedusers.jsp">Authenticated users only</a>
    <p><a href="secure/admin/admin.jsp">Admins only</a>
    </body>
    </html>
    index.jsp
    Access Denied.
    denied.jsp
    <%@ page import="org.acegisecurity.context.SecurityContextHolder" %>
    <h1>Welcome: <%= SecurityContextHolder.getContext().getAuthentication().getName() %></h1>
    <p><a href="../">Home</a>
    <p><a href="../j_acegi_logout">Logout</a>
    secure/authenticatedusers.jsp
    <%@ page import="org.acegisecurity.context.SecurityContextHolder" %>
    <h1>Welcome: <%= SecurityContextHolder.getContext().getAuthentication().getName() %> is an Admin</h1>
    <p><a href="../../">Home</a>
    <p><a href="../../j_acegi_logout">Logout</a>
    </body>
    </html>
    secure/admin/admin.jsp
  6. The users.properties file: This example uses an in memory user registry and the WEB-INF/users.properties file is used to store the usernames and passwords.
    scott=tiger,ROLE_USER
    harry=potter,ROLE_ADMIN
    frodo=baggins,ROLE_USER
    WEB-INF/users.properties
  7. Configure the Acegi filter in the Web deployment descriptor: The web.xml file is shown below
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app id="WebApp_ID" version="2.4"
     xmlns="http://java.sun.com/xml/ns/j2ee"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
     <display-name>SpringSecurity</display-name>

       <filter>
           <filter-name>Acegi Filter Chain Proxy</filter-name>
           <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
           <init-param>
               <param-name>targetClass</param-name>
               <param-value>org.acegisecurity.util.FilterChainProxy</param-value>
           </init-param>
       </filter>

      <filter-mapping>
        <filter-name>Acegi Filter Chain Proxy</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>

     <listener>
      <listener-class>
       org.springframework.web.context.ContextLoaderListener
      </listener-class>
     </listener>

     <welcome-file-list>
      <welcome-file>index.html</welcome-file>
      <welcome-file>index.htm</welcome-file>
      <welcome-file>index.jsp</welcome-file>
      <welcome-file>default.html</welcome-file>
      <welcome-file>default.htm</welcome-file>
      <welcome-file>default.jsp</welcome-file>
     </welcome-file-list>
    </web-app>
    web.xml
  8. Configure Acegi in applicationContext.xml file: The following is a listing of the WEB-INF/applicationContext.xml file, followed be explanations of the different beans defined in there.
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

    <beans>

    <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
      <property name="filterInvocationDefinitionSource">
        <value>
          CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
          PATTERN_TYPE_APACHE_ANT
          /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
        </value>
      </property>
    </bean>

    <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>

    <bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
      <constructor-arg value="/index.jsp"/>
      <constructor-arg>
        <list>
          <ref bean="rememberMeServices"/>
          <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
        </list>
      </constructor-arg>
    </bean>

    <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
      <property name="authenticationManager" ref="authenticationManager"/>
      <property name="authenticationFailureUrl" value="/login.jsp?errorId=1"/>
      <property name="defaultTargetUrl" value="/"/>
      <property name="filterProcessesUrl" value="/j_acegi_security_check"/>
      <property name="rememberMeServices" ref="rememberMeServices"/>
    </bean>

    <bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>

    <bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
      <property name="authenticationManager" ref="authenticationManager"/>
      <property name="rememberMeServices" ref="rememberMeServices"/>
    </bean>

    <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
      <property name="key" value="changeThis"/>
      <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
    </bean>

    <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
      <property name="authenticationEntryPoint">
        <bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
          <property name="loginFormUrl" value="/login.jsp"/>
          <property name="forceHttps" value="false"/>
        </bean>
      </property>
      <property name="accessDeniedHandler">
        <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
          <property name="errorPage" value="/denied.jsp"/>
        </bean>
      </property>
    </bean>

    <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
      <property name="authenticationManager" ref="authenticationManager"/>
      <property name="accessDecisionManager">
        <bean class="org.acegisecurity.vote.AffirmativeBased">
          <property name="allowIfAllAbstainDecisions" value="false"/>
          <property name="decisionVoters">
            <list>
              <bean class="org.acegisecurity.vote.RoleVoter"/>
              <bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
            </list>
          </property>
        </bean>
      </property>
      <property name="objectDefinitionSource">
        <value>
          CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
          PATTERN_TYPE_APACHE_ANT
          /secure/admin/**=ROLE_ADMIN
          /secure/**=IS_AUTHENTICATED_REMEMBERED
          /**=IS_AUTHENTICATED_ANONYMOUSLY
        </value>
      </property>
    </bean>

    <bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
      <property name="userDetailsService" ref="userDetailsService"/>
      <property name="tokenValiditySeconds" value="1800"></property>
      <property name="key" value="changeThis"/>
    </bean>

    <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
      <property name="providers">
        <list>
          <ref local="daoAuthenticationProvider"/>
          <bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
            <property name="key" value="changeThis"/>
          </bean>
          <bean class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
            <property name="key" value="changeThis"/>
          </bean>
        </list>
      </property>
    </bean>

    <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
      <property name="userDetailsService" ref="userDetailsService"/>
      <property name="userCache">
        <bean class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
          <property name="cache">
            <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
              <property name="cacheManager">
                <bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
              </property>
              <property name="cacheName" value="userCache"/>
            </bean>
          </property>
        </bean>
      </property>
    </bean>

    <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
      <property name="userProperties">
        <bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
          <property name="location" value="/WEB-INF/users.properties"/>
        </bean>
      </property>
    </bean>

    <bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>

    </beans>
    WEB-INF/applicationContext.xml
    1. FilterChainProxy: Delegates Filter requests to a list of Spring-managed beans.
    2. HttpSessionContextIntegrationFilter: Populates the SecurityContextHolder with information obtained from the HttpSession.
    3. LogoutFilter: Logs a principal out.
    4. AuthenticationProcessingFilter: Processes an authentication form.
    5. SecurityContextHolderAwareRequestFilter: A Filter which populates the ServletRequest with a new request wrapper.
    6. RememberMeProcessingFilter: Detects if there is no Authentication object in the SecurityContext, and populates it with a remember-me authentication token if a RememberMeServices implementation so requests.
    7. AnonymousProcessingFilter: Detects if there is no Authentication object in the SecurityContextHolder, and populates it with one if needed.
    8. AnonymousProcessingFilter: Detects if there is no Authentication object in the SecurityContextHolder, and populates it with one if needed.
    9. ExceptionTranslationFilter: Handles any AccessDeniedException and AuthenticationException thrown within the filter chain.
    10. AuthenticationProcessingFilterEntryPoint: Used by the SecurityEnforcementFilter to commence authentication via the AuthenticationProcessingFilter. This object holds the location of the login form, relative to the web app context path, and is used to commence a redirect to that form.
    11. AccessDeniedHandlerImpl: Used by ExceptionTranslationFilter to handle an AccessDeniedException.
    12. FilterSecurityInterceptor: Performs security handling of HTTP resources via a filter implementation.
    13. TokenBasedRememberMeServices: Identifies previously remembered users by a Base-64 encoded cookie.
    14. DaoAuthenticationProvider: An AuthenticationProvider implementation that retrieves user details from an UserDetailsService.
    15. InMemoryDaoImpl: Retrieves user details from an in-memory list created by the bean context.
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

LinkWithin

Related Posts Plugin for WordPress, Blogger...