|
SpringSecurityBasicConf
This is a Spring Security very basic configuration example for the AOP solution
If you want to test gwt-incubator-security in a GWT Spring application using the AOP solution, here are some useful - even if simple - information : First, just add this to your actual configuration : web.xml <filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This will enable URL filtering for every request. Once this step done, you can adjust your application context configuration. Let's have a look at the very simple sample provided right after : applicationContext.xml <?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<global-method-security secured-annotations="enabled" jsr250-annotations="disabled" />
<http auto-config="true">
<intercept-url pattern="/gwt/**" access="ROLE_USER"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
</http>
<authentication-provider>
<user-service>
<user name="rod" password="koala" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
<user name="dianne" password="emu" authorities="ROLE_USER,ROLE_TELLER" />
<user name="scott" password="wombat" authorities="ROLE_USER" />
<user name="peter" password="opal" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
<beans:bean id="SimpleRPCService" class="com.gwtsamplewebapp.ui.server.SimpleRPCServiceImpl" />
</beans:beans>As you can see, Spring Security 2.x provides a very easy configuration (via autoconfiguration in fact). You do not need lots of declaration to have a working secured application. The example above illustrates the use of annotation : the global-method-security enables them. Now, you have to map RPC calls to the right service implementation. Here are the steps. First add the following lines in you web.xml file : <servlet> <servlet-name>springrpc</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>springrpc</servlet-name> <url-pattern>/rpc/*</url-pattern> </servlet-mapping> Then, edit the springrpc-servlet.xml file like this one : <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.5.xsd">
<bean id="urlMapping" class="com.gwtincubator.security.server.GWTSecuredHandler">
<property name="mappings">
<map>
<entry key="/getData.rpc" value-ref="SimpleRPCService" />
</map>
</property>
</bean>
</beans>Thus, every call to your GWT resources (your HTML entry points) are protected through the use of the URL filter and every RPC call you wish to protect just have to add the @secured annotation (and the throws declaration too). I hope this is clear enough. If you want to use URL Filtering on asynchronous requests, please have a look on this dedicated page : UrlFilteringSpringConfiguration. |
► Sign in to add a comment
Hi dmartin,
I copy my actual configuration.
Thanks a lot,
Roque
<http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint"> <intercept-url pattern="/**/rpc/**" access="ROLE_USER"/> <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> </http> <authentication-manager alias="authenticationManager"/> <beans:bean id="authenticationProcessingFilter" class="com.gwtincubator.security.server.GWTAuthenticationProcessingFilter"> <custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/> <beans:property name="defaultTargetUrl" value="/" /> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="filterProcessesUrl" value="/j_spring_security_check"/> </beans:bean> <beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint?"> <beans:property name="loginFormUrl" value="/" /> <beans:property name="forceHttps" value="false" /> </beans:bean> <authentication-provider> <user-service> <user name="rod" password="koala" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" /> <user name="dianne" password="emu" authorities="ROLE_USER,ROLE_TELLER" /> <user name="scott" password="wombat" authorities="ROLE_USER" /> <user name="peter" password="opal" authorities="ROLE_USER" /> </user-service> </authentication-provider>Just curious by why would anyone choose securing URLs over the AOP version? Seems the AOP implementation is 10 times better. Cleaner implementation, more secure, etc. Am I missing something?
wdvdv vbujc bcbbc bxccb cv ccb db c cbcdcvdvdv dbcbchttp--code.google.com-p-gwt-incubator-lib-wiki-SpringSecurityBasicConfbwd? djbedbdc dibdbcsvcdc bvbvbbdvjbdbvvdcbbk kxcbnbvcvvb bxcbvbvb cxkvbvbvbvjbvbx xcbcvcfv cvcvc bhcjvvcvcnvncv vncvnvn clnvv vnv lvcnn lcnv vcnnv v vknc