I am newbie to Spring .I built a spring MVC application which is XML based and I used JAR files using Spring Framework MVC application step-by-step.
Now I have to integrate spring security in it. I found many tutorials for spring security, but all are made using annotations. And in the MVC tutorial it uses Ant and XML. I am just lost in this part. Should I have to convert my whole application using annotations or what to do?
Is there any way using spring security without annotations? May be this question is not logical. But guide me and help me solve my confusion.
Or is there any tutorial help me in this regard, please let me know. Thank you
I'm not sure what you mean with "change my application to annotation base", but you will have to add some anotations above your methods like this:
#Secured("isAuthenticated() and hasRole('PERMISSION_BUY_ITEMS')")
public void buyItem(int itemId, int userId) {
// you buy stuff login
}
This way in order to access your method the user should be logged in (authenticated) and have the permission BUY_ITEMS.
You don't have to do this for all your methods.
If you do not need permission/role based authorization you can just use authentication based expressions like isAuthenticated(), isAnonymous() and permitAll out of the box without any custom implementation.
Related
I am developing a web application using Spring MVC. Since I am kind of done with the the basic functionality, I was going to add user management. By this I mean that I have to extend the logic of the application to support several users. However being new to Spring MVC I am lost... How and where to add session management? How to change my controllers? Could anyone please suggest a good resourse? Tutorials which I find on the Internet mainly deal with page access by using Spring Security. I need more than that. Thanks in advance!
This tutorial http://www.mkyong.com/spring-security/spring-security-form-login-using-database/ gives a good step by step direction on how to use spring security with a database based on user roles. I am not sure exactly what more you want that needs to be directly addressed in your question. The good thing with spring security is that you don't need to change your controllers. It uses a simple xml configuration and is independent of the platform you use.
I want to develop a pretty standard webproject with all basic functionalities such as landingpage, user registration, login and so on.
Since I'm familiar with Java and Spring, I set up the a project with Spring Roo including DBRE from an MySql database, MVC and Spring security.
Right now I'm wondering how to go on with the UI. I would like integrate a template from twitter-bootstrap and I already downloaded a working example project (no apache tiles structure). I'm not very familiar with Apache tiles and frontend design in general so my question is, what would be the best way to integrate it and bypass the standard CRUD design?
Is it only necessary to design a new default-layout and reuse existing .jspx files? Also is it possible to take the existing bootstrap.jsp template which uses sitemesh from the bootstrap-example as a new template and reuse existing .jspx files?
Reuse is important since there are still entities which will change in future.
Appreciate any help!
I haven't personally used twitter-bootstrap, but I am fairly familiar with the Spring Roo structure.
My first bit of advice would be to just simply not use their UI stuff. Nothing says you have to generated your Controllers with scafolding, which takes the scafolded classes and auto-generates the CRUD methods and UI peices for you. In fact, in my last 4 projects, I did all the UI coding myself (I still used Tiles w/JSPs, and let Roo make all the relavent tiles configs and resource bundles). You can ALWAYS generate a plan Controller and use Roo for everything except the View pieces.
I don't see why you couldn't use the bootstrap.jsp you speak of. The Tiles implementation is done using the TilesViewResolver, I believe, which should be configured in the application_context.xml (or whatever Roo calls the context XML file). Just replace the TileViewResolver setup with something else. I would suggest reading up on Chapter 17.5 Resolving Views in the Spring Reference guide. I think for JSPs you want to use InternalResourceViewResolver.
I started on Spring a few months back and the Security topic seems the most complex to me. With Acegi moving into Spring I could not find a single tutorial that tells step by step way to add security to a Spring app. Please help me. My requirements are as follows:
I have several roles in application, they are not hierarchical roles (meaning Role A not necessarily have all roles of Role B etc).
I want to integrate it to use my own User table where I would store Username, encrypted password (one way encryption) and I want to use either Hibernate or any Spring inbuilt component (read the class name JdbcDaoImpl somewhere, have no clue how to use it though) to access the DB data.
I probably don't want method level security because I want to use Spring taglibs to selectively show/hide menu items, however there should be way to prohibit unauthorized user to access a page directly through URL.
I don't want ready made code, (this tutorial for example confused me to hell, since it doesn't even have Spring security name-space declaration in security.xml), I would appreciate rather a step-by-step guide on how to achieve the above in a Spring2.5/Hibernate3 application using Spring security.
Thanks for your time.
Well without knowing what you've already read here are the articles I used to first start. Note that a lot of the Acegi Security articles are still relevant, Spring Security uses almost all the concepts from Acegi - the only thing they really added was simplifying [some] configurations - like the auto-config for security situations that exactly fit their use case.
Securing Java applications with Acegi
Acegi Security Fundamentals
Pathway from Acegi to Spring Security 2.0
I'm working with ASP.Net MVC as well as DynamicData and I need to add role-based security.
Should I implement this via:
IHttpHandler with custom actions that check if the user is authorized?
Or should I be using a RoleProvider?
Or perhaps some combination of the two?
If the RoleProvider is a viable option, when would I ever need to extend the abstract RoleProvider base class vs. using the ones included. MSDN says you would only extend this class if "You need to store role information in a data source that is not supported by the role providers included with the .NET Framework." Please expound on this. Explain how this would work under circumstances where I don't need to extend the base class but instead use the included role providers. What data sources are supported by the included providers?
Also, would your answer to these questions be different for ASP.Net MVC vs. ASP.Net DynamicData?
All MSDN is saying here is "we wrote this stuff for you, tested and debugged it, please use it".
The default role providers work great if you spend some time to set them up. Implementing your own isn't too hard either.
I'd answer both pretty much the same. With MVC your setting an Authorize attributes on your Controller and/or Controller actions. With Dynamic data your setting things up with inside the web.config file.
I have an ASP.Net Web Forms application in which I'm using forms-based authentication with Membership and Role providers, which is fine for authenticating and controlling access to directories and/or files. Now I find myself needing to control read, write and delete access on individual entity instances, for example being able to update or delete an instance of a customer. I've been trying to think of a good way to implement this but I don't really know where to start. I read about the Authorize attribute in ASP.Net MVC and thought it would be nice to have something analogous--decorating methods the way you can controller actions in ASP.Net MVC. I don't know of any out of the box way to accomplish this in the Web Forms world though, and don't know of any frameworks or other tools that might help me move in that direction. Any suggestions, both in terms of existing solutions and/or how to design my own implementation would be greatly appreciated.
The easiest way is to demand that the user is a member of the role(s) required for the method in question with PrincipalPermissionAttribute.
[PrincipalPermission(SecurityAction.Demand, Role="Supervisor")]
[PrincipalPermission(SecurityAction.Demand, Role="Owner")]
public void DeleteSomething() {...}
Note that this means Supervisor OR Owner can DeleteSomething().
I don't think "PrincipalPermission" is a good approch.
What If, I need to allow DeleteSomthing() for another role?
similarly, If I need to remove existing role for DeleteSomthing()?
The only way is changing the attributes at code level. This is not at all feasible for big projects.
I am also looking for a nice solution.