Spring MVC multi user application - spring-mvc

I am developing a web application using Spring MVC. Since I am kind of done with the the basic functionality, I was going to add user management. By this I mean that I have to extend the logic of the application to support several users. However being new to Spring MVC I am lost... How and where to add session management? How to change my controllers? Could anyone please suggest a good resourse? Tutorials which I find on the Internet mainly deal with page access by using Spring Security. I need more than that. Thanks in advance!

This tutorial http://www.mkyong.com/spring-security/spring-security-form-login-using-database/ gives a good step by step direction on how to use spring security with a database based on user roles. I am not sure exactly what more you want that needs to be directly addressed in your question. The good thing with spring security is that you don't need to change your controllers. It uses a simple xml configuration and is independent of the platform you use.

Related

Spring Security for multiuser Spring MVC web app

I am developing a web app using SpringMVC. The app should manage several users with these traditional operations (for each user) : registration- login - logout - update account - etc...
So, my questions are:
Is Spring Security enough to manage these operations for several users ?
What is the best way to proceed?
Many thanks
This is what spring security meant for, it will work like a charm.
Follow this link for a simple example.
http://websystique.com/springmvc/spring-mvc-4-and-spring-security-4-integration-example/

Ant and XML-based Spring security integration (without using annotations)

I am newbie to Spring .I built a spring MVC application which is XML based and I used JAR files using Spring Framework MVC application step-by-step.
Now I have to integrate spring security in it. I found many tutorials for spring security, but all are made using annotations. And in the MVC tutorial it uses Ant and XML. I am just lost in this part. Should I have to convert my whole application using annotations or what to do?
Is there any way using spring security without annotations? May be this question is not logical. But guide me and help me solve my confusion.
Or is there any tutorial help me in this regard, please let me know. Thank you
I'm not sure what you mean with "change my application to annotation base", but you will have to add some anotations above your methods like this:
#Secured("isAuthenticated() and hasRole('PERMISSION_BUY_ITEMS')")
public void buyItem(int itemId, int userId) {
// you buy stuff login
}
This way in order to access your method the user should be logged in (authenticated) and have the permission BUY_ITEMS.
You don't have to do this for all your methods.
If you do not need permission/role based authorization you can just use authentication based expressions like isAuthenticated(), isAnonymous() and permitAll out of the box without any custom implementation.

Spring Security: Step by Step

I started on Spring a few months back and the Security topic seems the most complex to me. With Acegi moving into Spring I could not find a single tutorial that tells step by step way to add security to a Spring app. Please help me. My requirements are as follows:
I have several roles in application, they are not hierarchical roles (meaning Role A not necessarily have all roles of Role B etc).
I want to integrate it to use my own User table where I would store Username, encrypted password (one way encryption) and I want to use either Hibernate or any Spring inbuilt component (read the class name JdbcDaoImpl somewhere, have no clue how to use it though) to access the DB data.
I probably don't want method level security because I want to use Spring taglibs to selectively show/hide menu items, however there should be way to prohibit unauthorized user to access a page directly through URL.
I don't want ready made code, (this tutorial for example confused me to hell, since it doesn't even have Spring security name-space declaration in security.xml), I would appreciate rather a step-by-step guide on how to achieve the above in a Spring2.5/Hibernate3 application using Spring security.
Thanks for your time.
Well without knowing what you've already read here are the articles I used to first start. Note that a lot of the Acegi Security articles are still relevant, Spring Security uses almost all the concepts from Acegi - the only thing they really added was simplifying [some] configurations - like the auto-config for security situations that exactly fit their use case.
Securing Java applications with Acegi
Acegi Security Fundamentals
Pathway from Acegi to Spring Security 2.0

Custom Providers, Best Practices, and Configuration Conflaguration

I have been building web sites with ASP.NET for a while now. At first I avoided learning the intricacies of the ASP.NET Provider Model. Instead I used the canned providers where necessary, and leaned heavily on Dependency Injection frameworks for all my other needs.
Recently however, I have been writing pluggable components for ASP.NET and of course writing lots of custom provider based solutions in order to make that happen. It has become quickly apparent to me however, that a lot of initialization code is being duplicated, which is a bad thing.
So...
Are there any best practices that have emerged on how to avoid the configuration spaghetti code?
Have you built, or have any examples (base/helper classes, custom attributes, reflection) to share of abstracting the basic initialization code out so building custom providers is easier?
NOTE:
Please do not try and send me to the Provider Toolkit site. I have already exhausted that resource, which is why I am turning to the SO Community :)
I just did a rough implementation of rather basic implementation of the membership and role providers, and I don't have any code duplication at all!
I have divided everything into three projects (plus tests):
Application - asp.net mvc app. models, controllers etc.
Infrastructure - IoC and Interfaces
Infrastructure.Web - Providers
The model for User and Role implement interfaces from Infrastructure and those classes get registered to the IoC on application startup. The providers then asks the IoC to resolve the classes and does it's thing. This way I can add things to the model and user interface yet using the same providers. The one problem I've noticed, is that the web being launched by the "ASP.NET Configuration"-button can't use the providers, as the setup is being done in Application_Start and the "ASP.NET Configuration" is another web. I don't see this as a problem though.

ASP.Net Web Forms Entity Level Access Control

I have an ASP.Net Web Forms application in which I'm using forms-based authentication with Membership and Role providers, which is fine for authenticating and controlling access to directories and/or files. Now I find myself needing to control read, write and delete access on individual entity instances, for example being able to update or delete an instance of a customer. I've been trying to think of a good way to implement this but I don't really know where to start. I read about the Authorize attribute in ASP.Net MVC and thought it would be nice to have something analogous--decorating methods the way you can controller actions in ASP.Net MVC. I don't know of any out of the box way to accomplish this in the Web Forms world though, and don't know of any frameworks or other tools that might help me move in that direction. Any suggestions, both in terms of existing solutions and/or how to design my own implementation would be greatly appreciated.
The easiest way is to demand that the user is a member of the role(s) required for the method in question with PrincipalPermissionAttribute.
[PrincipalPermission(SecurityAction.Demand, Role="Supervisor")]
[PrincipalPermission(SecurityAction.Demand, Role="Owner")]
public void DeleteSomething() {...}
Note that this means Supervisor OR Owner can DeleteSomething().
I don't think "PrincipalPermission" is a good approch.
What If, I need to allow DeleteSomthing() for another role?
similarly, If I need to remove existing role for DeleteSomthing()?
The only way is changing the attributes at code level. This is not at all feasible for big projects.
I am also looking for a nice solution.

Resources