Spring Security has robust configuration options available. As every application and environment has its own security requirements, the Spring Security reference documentation is the best place to learn the available options.
Both the booking-faces and booking-mvc sample applications are configured to use Spring Security.
Configuration is needed at both the Spring and web.xml levels.
The Spring configuration defines http specifics (such as protected URLs and login/logout mechanics) and the authentication-provider.
For the sample applications, a local authentication provider is configured.
<security:http auto-config="true"> <security:form-login login-page="/spring/login" login-processing-url="/spring/loginProcess" default-target-url="/spring/main" authentication-failure-url="/spring/login?login_error=1" /> <security:logout logout-url="/spring/logout" logout-success-url="/spring/logout-success" /> </security:http> <security:authentication-provider> <security:password-encoder hash="md5" /> <security:user-service> <security:user name="keith" password="417c7382b16c395bc25b5da1398cf076" authorities="ROLE_USER,ROLE_SUPERVISOR" /> <security:user name="erwin" password="12430911a8af075c6f41c6976af22b09" authorities="ROLE_USER,ROLE_SUPERVISOR" /> <security:user name="jeremy" password="57c6cbff0d421449be820763f03139eb" authorities="ROLE_USER" /> <security:user name="scott" password="942f2339bf50796de535a384f0d1af3e" authorities="ROLE_USER" /> </security:user-service> </security:authentication-provider>
In the web.xml file, a filter is defined to intercept all requests.
This filter will listen for login/logout requests and process them accordingly.
It will also catch AccesDeniedExceptions and redirect the user to the login page.
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>