go to  ForumEasy.com   
JavaPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  Example #3: Expression-Based Access Control + LDAP authentication + Custom Login Page
 
Subject: Example #3: Expression-Based Access Control + LDAP authentication + Custom Login Page
Author: WebSpider
In response to: /WEB-INF/web.xml
Posted on: 12/06/2017 03:11:24 AM

Step 1: Custom login -- Controller

GET http://<host>:<port>/<context>/my_login --> this.login(String error, String logout)

	@RequestMapping(value = "/my_login", method = RequestMethod.GET)
	public ModelAndView login(
		@RequestParam(value = "error", required = false) String error,
		@RequestParam(value = "logout", required = false) String logout) {

		ModelAndView model = new ModelAndView();
		if (error != null) {
			model.addObject("error", "Invalid username and password!");
		}

		if (logout != null) {
			model.addObject("msg", "You've been logged out successfully.");
		}
		model.setViewName("login");

		return model;

	}


Step 2: Custom login -- View

model("login") --> login.jsp
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
    <body onload='document.loginForm.username.focus();'>

	<h1>Spring Security Custom Login Form (XML)</h1>
	<div>
		<h2>Login with Username and Password</h2>

		<c:if test="${not empty error}">
			<div class="error">${error}</div>
		</c:if>
		<c:if test="${not empty msg}">
			<div class="msg">${msg}</div>
		</c:if>

		<c:url var="loginProcessUrl" value="/where_to_process_login" />
		<form name='loginForm' action="${loginProcessUrl}" method='POST'>
		  <table>
			<tr>
			   <td>User:</td>
                           <td><input type='text' name='username' value=''></td>
			</tr>
			<tr>
			   <td>Password:</td>
			   <td><input type='password' name='password' /></td>
			</tr>
			<tr>
			   <td colspan='2'><input name="submit" type="submit"
					value="submit" /></td>
			</tr>
		  </table>

		  <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
		</form>
	</div>
    </body>
</html>



Step 3: Custom login -- Configure

        
        <!-- AUTHORIZATION -->
	<http pattern="/img/*" security="none" />

	<http auto-config="true" use-expressions="true">
		<intercept-url pattern="/img/*" access="permitAll" />
		<intercept-url pattern="/app/**/*" access="isAuthenticated()" />
		<intercept-url pattern="/**/*" access="permitAll" />

		<form-login 
                    login-page='/my_login'                         <--1-- How to get here: GET /<context>/my_login
		    username-parameter="username"                  <----- default "username" 
		    password-parameter="password"                  <----- default "password" 
	            login-processing-url="/where_to_process_login" <--2-- where to process?  
		    authentication-failure-url="/my_login?error"   <--3-- where to go if error? 
		    default-target-url="/welcome"                  <--4-- where to go if success? 
                    always-use-default-target="false"              <--5-- where to go if success? (true)?
                                                                                 default-target-url|user-target-url
                 />
                            
		<logout 
                    logout-url="/where_to_process_logout"  <--1-- where to process? 
		    logout-success-url="/my_login?logout"  <--2-- where to go if success? 
                 />
	 		
		<!-- enable csrf protection -->
		<csrf/>

	</http>

	<!-- AUTHENTICATION (LDAP) -->
	<authentication-manager>
	    <authentication-provider ref="ldapActiveDirectoryAuthProvider"></authentication-provider>
	</authentication-manager>

	<beans:bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
	    <beans:constructor-arg value="abc.xyz.com"></beans:constructor-arg>
	    <beans:constructor-arg value="ldaps://ad.abc.xyz.com:636"></beans:constructor-arg>
	</beans:bean>



 

> On 11/23/2017 02:56:46 AM WebSpider wrote:

	<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>/WEB-INF/spring/*.xml</param-value>
	</context-param>
	
	<!-- LISTENERS -->
	<!-- Creates the Spring Container shared by all Servlets and Filters -->
	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>


	<!-- FILTERS -->
	<!-- Creates the Spring Security filters shared by all Servlets and Filters -->
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>	

	<!-- SERVLETS -->
	<servlet>
		<servlet-name>myServlet</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<init-param>
			<param-name>contextConfigLocation</param-name>
			<param-value>/WEB-INF/spring/myServlet/dispatch-servlet.xml</param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
		
	<servlet-mapping>
		<servlet-name>myServlet</servlet-name>
		<url-pattern>/</url-pattern>
	</servlet-mapping>


With the above xml, the Spring Framework will do:
  • Setting a filter which is handled by DelegatingFilterProxy which is going to delegate the job to bean named springSecurityFilterChain
  • springSecurityFilterChain is a built-in default name which is implemented by <security:http> element, injected by spring-security.xml.
  • spring-security.xml is to load via ContextLoaderListener when ServletContext is initialized.


    References:

    		•  


     
    Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.