| |
/WEB-INF/web.xml |
|
|
Subject: /WEB-INF/web.xml
Author: WebSpider
In response to: Spring Security -- Configuration
Posted on: 11/23/2017 02:56:46 AM
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/*.xml</param-value>
</context-param>
<!-- LISTENERS -->
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- FILTERS -->
<!-- Creates the Spring Security filters shared by all Servlets and Filters -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- SERVLETS -->
<servlet>
<servlet-name>myServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/myServlet/dispatch-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>myServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
With the above xml, the Spring Framework will do: Setting a filter which is handled by DelegatingFilterProxy which is going to delegate the job to bean named springSecurityFilterChain
springSecurityFilterChain is a built-in default name which is implemented by <security:http> element, injected by spring-security.xml.
spring-security.xml is to load via ContextLoaderListener when ServletContext is initialized.
>
> On 11/23/2017 02:48:14 AM WebSpider wrote:
/WEB-INF/spring/spring-security.xml
Example #1: Role based + In-Memory authentication
<!-- AUTHORIZATION -->
<http pattern="/img/**" security="none" />
<http auto-config="true">
<intercept-url pattern="/admin/*" access="ROLE_ADMIN" />
<intercept-url pattern="/app/**/*" access="ROLE_USER" />
</http>
<!-- AUTHENTICATION (in memory) -->
<authentication-manager>
<authentication-provider>
<user-service>
<user name="john" password="john_pass" authorities="ROLE_USER" />
<user name="lisa" password="lisa_pass" authorities="ROLE_USER, ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
Example #2: Expression-Based Access Control + LDAP authentication
<!-- AUTHORIZATION -->
<http pattern="/img/*" security="none" />
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/img/*" access="permitAll" />
<intercept-url pattern="/app/**/*" access="isAuthenticated()" />
<intercept-url pattern="/**/*" access="permitAll" />
</http>
<!-- AUTHENTICATION (LDAP) -->
<authentication-manager>
<authentication-provider ref="ldapActiveDirectoryAuthProvider"></authentication-provider>
</authentication-manager>
<beans:bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<beans:constructor-arg value="abc.xyz.com"></beans:constructor-arg>
<beans:constructor-arg value="ldaps://ad.abc.xyz.com:636"></beans:constructor-arg>
</beans:bean>
The most common built-in expressions:
hasRole([role])
hasAnyRole([role1,role2])
hasAuthority([authority])
hasAnyAuthority([authority1,authority2])
principal -- allows direct access to the Principal object
authentication -- allows direct access to the Authentication object
permitAll
denyAll
isAnonymous()
isRememberMe() -- returns true if the current principal is a remember-me user
isAuthenticated() -- !isAnonymous()
isFullyAuthenticated() -- !(isAnonymous()||isRememberMe())
hasPermission(Object target, Object permission) -- hasPermission(domainObject, 'read')
hasPermission(Object targetId, String targetType, Object permission) -- hasPermission(1, 'com.example.Message', 'read')
References:
|
|
|
|
