This application demonstrate how to use spring security in spring mvc
application. This is java config annotation based configuration. I tried to
implement following customization on spring security framework.
@Configuration
@EnableWebSecurity
@ComponentScan("com.application")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
CustomAuthenticationProvider customAuthenticationProvider;
@Autowired
@Qualifier("secureUserDetailsService")
UserDetailsService userDetailsService;
@Autowired
LoginSuccessHandler loginSuccessHandler;
@Autowired
LoginFailHandler loginFailHandler;
public SecurityConfig() {
super();
}
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(encoder());
auth.authenticationProvider(customAuthenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(UrlMapping.getLoginUrl(), UrlMapping.getSignInUrl())
.permitAll()
.anyRequest()
.authenticated()
.accessDecisionManager(accessDecisionManager())
.and()
.formLogin()
.loginPage(UrlMapping.getLoginUrl())
.loginProcessingUrl(UrlMapping.getSignInUrl())
.failureUrl(UrlMapping.getSignInUrl())
.failureHandler(loginFailHandler)
.successHandler(loginSuccessHandler)
.usernameParameter("email").passwordParameter("password").and()
.exceptionHandling().accessDeniedPage(UrlMapping.getUnauthorizedUrl())
.and()
.logout()
.logoutSuccessUrl("/")
.deleteCookies("JSESSIONID", "SESSION")
.invalidateHttpSession(true)
.and()
.sessionManagement()
.sessionAuthenticationStrategy(concurrentSessionControlAuthenticationStrategy())
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/")
.sessionRegistry(sessionRegistry());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/resources/**");
// super.configure(web);
}
@Bean
PasswordEncoder encoder() {
return new BCryptPasswordEncoder(15);
}
@Bean
public AccessDecisionManager accessDecisionManager() {
List<AccessDecisionVoter<? extends Object>> decisionVoters = Arrays.asList(new WebExpressionVoter(),
new RoleVoter(), new AuthenticatedVoter(), new MinuteBasedVoter());
return new UnanimousBased(decisionVoters);
}
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
@Bean
ConcurrentSessionControlAuthenticationStrategy concurrentSessionControlAuthenticationStrategy() {
ConcurrentSessionControlAuthenticationStrategy csca = new ConcurrentSessionControlAuthenticationStrategy(
sessionRegistry());
csca.setExceptionIfMaximumExceeded(true);
csca.setMaximumSessions(1);
return csca;
}
}
- Custom Authentication Provider.
- Custom UserDetailsService.
- Custom LoginSuccessHandler
- Custom AuthenticationFailureHandler
- Custom AccessDecisionVoter
- Update Current LoggedIn UserDetails
- Display All LoggedIn User In Application.
- Custom taglib to show/hide action based on user's role and permission.
- Prevent multiple login for same user (spring security concurrent user login prevention).
- Override spring security message as custom message.
- Expiring all Sessions of a LoggedIn Users.
- How to implement apache tiles template engine for multiple layout on JSP page.
@Configuration
@EnableWebSecurity
@ComponentScan("com.application")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
CustomAuthenticationProvider customAuthenticationProvider;
@Autowired
@Qualifier("secureUserDetailsService")
UserDetailsService userDetailsService;
@Autowired
LoginSuccessHandler loginSuccessHandler;
@Autowired
LoginFailHandler loginFailHandler;
public SecurityConfig() {
super();
}
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(encoder());
auth.authenticationProvider(customAuthenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(UrlMapping.getLoginUrl(), UrlMapping.getSignInUrl())
.permitAll()
.anyRequest()
.authenticated()
.accessDecisionManager(accessDecisionManager())
.and()
.formLogin()
.loginPage(UrlMapping.getLoginUrl())
.loginProcessingUrl(UrlMapping.getSignInUrl())
.failureUrl(UrlMapping.getSignInUrl())
.failureHandler(loginFailHandler)
.successHandler(loginSuccessHandler)
.usernameParameter("email").passwordParameter("password").and()
.exceptionHandling().accessDeniedPage(UrlMapping.getUnauthorizedUrl())
.and()
.logout()
.logoutSuccessUrl("/")
.deleteCookies("JSESSIONID", "SESSION")
.invalidateHttpSession(true)
.and()
.sessionManagement()
.sessionAuthenticationStrategy(concurrentSessionControlAuthenticationStrategy())
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/")
.sessionRegistry(sessionRegistry());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/resources/**");
// super.configure(web);
}
@Bean
PasswordEncoder encoder() {
return new BCryptPasswordEncoder(15);
}
@Bean
public AccessDecisionManager accessDecisionManager() {
List<AccessDecisionVoter<? extends Object>> decisionVoters = Arrays.asList(new WebExpressionVoter(),
new RoleVoter(), new AuthenticatedVoter(), new MinuteBasedVoter());
return new UnanimousBased(decisionVoters);
}
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
@Bean
ConcurrentSessionControlAuthenticationStrategy concurrentSessionControlAuthenticationStrategy() {
ConcurrentSessionControlAuthenticationStrategy csca = new ConcurrentSessionControlAuthenticationStrategy(
sessionRegistry());
csca.setExceptionIfMaximumExceeded(true);
csca.setMaximumSessions(1);
return csca;
}
}
No comments:
Post a Comment