Spring Security 3.x Cookbook
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Introduction

We learned the basics of security in Chapter 1, Basic Security, which helped us to understand Spring Security better and also the origin of the Spring Security component in the Spring Framework.

In this chapter, let's see how Spring Security can be used to authenticate users in a Struts 2 framework-based web application.

Apache Struts 2 can be integrated with JSF and Spring. It is a very flexible POJO Action-based MVC framework. POJO itself performs the role of an action class to fulfill the requests. Struts 2 is derived from another framework called WebWork and it works with servlet filters, which intercept the request and response.

Exploring the Spring package

You can download the JARs from MAVEN directly or add the dependency in your POM file.

We prefer to use the latest JARs 3.1.4 from http://mvnrepository.com/artifact/org.springframework.security/spring-security-core/:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-core</artifactId>
    <version>3.1.4.RELEASE</version>
 </dependency> 
 <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
    <version>3.1.4.RELEASE</version>
  </dependency> 
  <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>3.1.4.RELEASE</version>
  </dependency>

Main packages in Spring Security

  • org.springframework.security.authentication: This is our area of interest
  • org.springframework.security.crypto: This is used for encryption and decryption
  • org.springframework.security.util: This is a general utility class used by the Spring Security API
  • org.springframework.security.core: This contains security core classes related to authentication and authorizations
  • org.springframework.security.access: This contains voter-based security access control annotations and decision making interfaces
  • org.springframework.security.provisioning: This contains user and group provisioning interfaces

Key Spring Security features

  • Supports JAAS.
  • Supports database.
  • Supports MongoDB authentication.
  • Provides authentication with OpenID.
  • Demonstrates multitenancy.
  • Provides basic authentication.
  • Provides digest authentication.
  • Spring Security works like an independent module. Authentication code is handled independently by the Spring Security framework.
  • Supports authentication with ApacheDS.
  • Supports authentication with Open LDAP.

Authentication mechanism

  1. User submits their credentials to the system; that is, a username and password.
  2. org.springframework.security.authentication.UsernamePasswordAuthenticationToken accepts the credentials and passes them to org.springframework.security.authentication.AuthenticationManager for validation.
  3. System authenticates the user.
  4. Credential flows as follows: UsernamePasswordAuthenticationToken | AuthenticationManager | Authentication.
  5. Finally a fully loaded authentication instance is returned.
  6. SecurityContextHolder accepts the authentication instance.
  7. The system also checks for authorization of roles or groups.
  8. Finally, the user is allowed to access the system based on his authorization.
上一章目录下一章