Security is
of critical importance to all web applications. Vulnerable applications are
easy prey for hackers. Spring Security is a Java/Java EE framework that
provides authentication, authorization and other security features for java
language based enterprise applications. It is operating system independent, so works
on various kinds of operating system. On 25th September 2016 the
latest stable version of spring -Security is 4.1.3.Spring- Security version 4.1.1
is used in this article.
·
Spring Security Features
1. Comprehensive and extensible support
for both Authentication and Authorization.
2. Protection against attacks like
session fixation, clickjacking, cross site request forgery (CSRF), etc.
3. Servlet API integration.
4. Optional integration with Spring MVC and
supports more frameworks.
The JPA(Java
Persistence API) is a specification for Java Persistence data using the
Object-Relational Mapping (ORM - Object Relational Mapping). One of the main
JPA implementations is the Hibernate framework. JPA can be used with any
database that has a driver for communicating with Java applications, including,
PostgreSQL, Oracle, SQL Server and MySQL.
This is a web
security (Login Logout and Remember me) application operating on ‘users’ and ‘user_roles’ tables in ‘springsecurity’
database in MySQL Database Server. It is a Struts2-Xml,JPA,Hibernate4-Annotation and
SpringSecurity4- Xml based application. Different persons
with different authorization (e.g. user and admin) displayed different web
pages after logging in.
Software
Used
1.JDK8u25
2.Netbeans
8.02
3.MySQL 5.*
Database Server(or XAMPP-For easy MySQL Management)
4.MySQL
Connector 5.*
5.Hibernate
4.3.** (Bundled with Netbeans)
6.Struts2
7.Spring4.3.2
8.Spring
Security 4.1.1
Steps
1.Install
JDK8 or Jdk7 if not installed
2.Install
Netbeans and associated ApacheTomcat Server
3.Install MySQL Database server or XAMPP(For easy
management of MySQL ) .
After
Installing Netbeans click the services tab on the left. Expand Database node.
Expand Drivers node. Right click MySQL(Connector/Jdriver) then connect. Put
springsecurity as the database. As shown below. Put password if you have given
password at the time of installation of MySQL database server. For XAMPP no password is required. Then test connection.
If successful click finish button.
Create user
table by running below SQL in ‘springsecurity’ database
CREATE TABLE
IF NOT EXISTS `users` (
`username` varchar(45) NOT NULL,
`password` varchar(60) NOT NULL,
`enabled` tinyint(4) NOT NULL DEFAULT '1'
)
ENGINE=InnoDB DEFAULT CHARSET=latin1;
ALTER TABLE
`users` ADD PRIMARY KEY (`username`);
Insert these
Records below by executing below insert statement
INSERT INTO
`users` (`username`, `password`, `enabled`) VALUES
('alex',
'alex123', 1),
('mkyong',
'mykong123', 1),
('raichand70',
'jaishriram', 1),
('walid',
'walid123', 0);
CREATE TABLE
IF NOT EXISTS `user_roles` (
`user_role_id` int(11) NOT NULL,
`username` varchar(45) NOT NULL,
`role` varchar(45) NOT NULL
)
ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=latin1;
ALTER TABLE
`user_roles` ADD PRIMARY KEY
(`user_role_id`), ADD UNIQUE KEY `uni_username_role` (`role`,`username`), ADD
KEY `fk_username_idx` (`username`);
ALTER TABLE
`user_roles` MODIFY `user_role_id`
int(11) NOT NULL AUTO_INCREMENT,AUTO_INCREMENT=1;
ALTER TABLE
`user_roles` ADD CONSTRAINT `fk_username` FOREIGN KEY (`username`) REFERENCES
`users` (`username`);
Insert these
Records below by executing below insert statement
INSERT INTO
`user_roles` (`user_role_id`, `username`, `role`) VALUES
(1,
'raichand70', 'ROLE_ADMIN'),
(2, 'alex',
'ROLE_USER'),
(3,
'mkyong', 'ROLE_USER'),
(4, 'walid',
'ROLE_USER');
Creating Project SpringSecurity4Struts2JPAHibernate4RememberMeExample
File-àNew
ProjectàCategories-àChoose JavaWeb--àChoose WebApplicationàClick Next-àGive Project Name SpringSecurity4Struts2JPAHibernate4RememberMeApplicationàClick NextàClick NextàChoose Framework Hibernateà Click
Finish
In the above figure Database Connection should be with ‘springsecurity’ database.
Persistence.xml is not
required for this project.
Download
mysql- connector-java-bin.jar add to libraries folder by right click
addJAR/Folderàadd the mysql-java-bin.jar.
Create a folder named View under Web
pages Folder. Create Two Folders named Secured and UnSecured under View Folder.
Create two folders named User and Admin under Secured Folder.Admin Folder would
contain admin.jsp. User folder would contain userprofile.jsp file. UnSecured
Folder would two files login.jsp and redirect.jsp.please verify with project
structure.
Project Structure
JARS required to be added
to Libraries Folder
Right click on the Libraries folderà addJAR/Folder then add below mentioned JAR Files . Most of the below JAR files are available for download from the provided
downloadable winrar file along with other files of the project.
1.aopalliance-1.0.jar
2.javax.inject-1.jar
3.commons-logging-1.2.jar
4.mysql-connector-java.bin.jar
5. el-impl-2.2
6. spring-aop-4.3.2
7. spring-beans-4.3.2
8. spring-context-4.3.2
9. spring-core-4.3.2
10. spring-tx-4.3.2
11. spring-web-4.3.2
12. spring-expression-4.3.2
13. spring-jdbc-4.3.2
14. spring-orm-4.3.2
15. spring-security-config-4.1.1
16. spring-security-core-4.1.1
17. spring-security-web-4.1.1
18. Struts 2-core- 2.3.24.1.jar
19. Struts 2-convention-plugin-2.3.24.1. jar
20. Struts 2-jquery-plugin-2.3.1. jar
21. Struts-taglib-1.3.10.jar
22. commons-fileupload-1.3.1.jar
23. commons-io-2.2.jar
24. commons-lang3-3.4.jar
25. commons-logging-1.1.3.jar
26. freemaker-2.3.22.jar
27. javassist-3.11.0.GA.jar
28. ognl-3.0.6.jar
29. xwork-core-2.3.24.1.jar
30. asm-3.3.jar
31.asm-commomns-3.3.jar
32.jandex2.0.3Final
Creating Packages and Classes
Default Package contains one file struts.xml
Right click Source
Package folder and create four packages
1.
com.ray.springsecurity.dao-àThis would contain DAO(Data Access Object) class and
interface UserDao.java and UserDaoImpl.java
2. com.ray.springsecurity.pojos.modelàThis would contain entity (POJO)
class files
User.java and UserRole.java. POJO Stands for
Plain Old Java Objects
3.
com.ray.springsecurity.serviceàThis would contain Spring Service class file
CustomUserDetailsService.java
4.
com.ray.struts.actionsàThis would contain Strut Actions file LoginAction.java
This Class
directs the person logging in after authentication with username and password to
the authorized web page depending on authority like User or Admin.
Following
Files would be created using Netbeans
1. hibernate.cfg,xml
File-àAutomatically generated. (It will be
used to create User.java,UserRole.java entity files and then would be deleted.)
2. Reverse
Engineering File-àhibernate.reveng.xml. (It will be used to create User.java,UserRole.java
entity Files and then would be deleted.)
3.Entity(POJO)
File-àUser.java and UserRole.java(POJO
stands for Plain Old Java Objects)
4. DataAccessObject(DAO) File-àUserDao.java
5.DataAccessObject(DAO) File-àUserDaoImpl.java
6.SpringService FileàCustomUserDetailsService.java
7. LoginAction.java File àStruts
Action file for logging in and directed to authorized page according to
authorization.
8.redirect.jsp FileàThis
file would redirect to login.jsp page on starting application.
9. login.jspàPerson
writes his/her username and password with remember me facility
10. admin.jspàThis
is displayed if the person logging in is having admin authorization.
11. userprofile.jspàThis
is displayed if the person logging in is having user authorization. This
displays the profile of user.
12. web.xml (Automatically generated and modified later)
13. spring-security.xmlàThis
contains Security credentials.
14. spring-database.xmlàThis
contains database credentials.
15.struts.xml
Add mysql-
connector-java-bin.jar to libraries if not done.
COPY
AND PASTE CODE OF THE FILE GIVEN BELOW
WHOSE CODE IS NOT GENERATED
1.Hibernate.cfg.xml File(It would be deleted after used for
creating User.java and User_Role entity
classes)
As
XAMPP is used so there is no password in
the file only username is given that
is root in Hibernate.cfg.xml File.
Code:-
<?xml
version="1.0" encoding="UTF-8"?>
<!DOCTYPE
hibernate-configuration PUBLIC "-//Hibernate/Hibernate Configuration DTD
3.0//EN"
"http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">
<hibernate-configuration>
<session-factory>
<property
name="hibernate.dialect">org.hibernate.dialect.MySQLDialect</property>
<property
name="hibernate.connection.driver_class">com.mysql.jdbc.Driver</property>
<property name="hibernate.connection.url">jdbc:mysql://localhost:3306/springsecurity?zeroDateTimeBehavior=convertToNull</property>
<property
name="hibernate.connection.username">root</property>
<property name="hibernate.connection.password">
</property>
<property name="hibernate.connection.pool_size">10</property>
<property
name="show_sql">true</property>
<property
name="dialect">org.hibernate.dialect.MySQLDialect</property>
<property
name="hibernate.hbm2ddl.auto">update</property>
<mapping class="com.ray.springsecurity.pojos.model.User"/>
<mapping class="com.ray.pojos.springsecurity.model.UserRole"/>
</session-factory>
</hibernate-configuration>
2. Creating Reverse
Engineering File-àhibernate.reveng.xml(It would be deleted after used for
creating User.java and UserRole.java
entity class)
.
Right Click default package in the Source Package-ànewàchoose Hibernate Reverse
Engineering Wizardàclick
nextàchoose user and
user_role tableàAdd àclick finish.
CODE:
<?xml version="1.0"
encoding="UTF-8"?>
<!DOCTYPE hibernate-reverse-engineering PUBLIC
"-//Hibernate/Hibernate Reverse Engineering DTD 3.0//EN"
"http://hibernate.sourceforge.net/hibernate-reverse-engineering-3.0.dtd">
<hibernate-reverse-engineering>
<schema-selection
match-catalog="springsecurity"/>
<table-filter
match-name="user"/>
<table-filter
match-name="user_role"/>
</hibernate-reverse-engineering>
3.
Creating Hibernate Entity (pojo) Files:-User.java and UserRole.java
Important:To create this file MySQL
database springsecurity most be connected through Netbeans.
Right click
com.model package--ànew-àHibernate Mappling Files and pojos from databaseàDonot select mapping file &
select EJB3.0 Pattern and Domain Code(java) àClick Finish
Please Modify both entity
classes as Given Below. Generated code may differ a little.
User.java CODE:
package
com.ray.springsecurity.pojos.model;
import
java.io.Serializable;
import
java.util.HashSet;
import
java.util.Set;
import
javax.persistence.Column;
import
javax.persistence.Entity;
import javax.persistence.FetchType;
import
javax.persistence.Id;
import
javax.persistence.OneToMany;
import
javax.persistence.Table;
@Entity
@Table(name
= "users", catalog = "springsecurity")
public class
User implements Serializable{
private String username;
private String password;
private boolean enabled;
private Set<UserRole> userRole
= new HashSet<UserRole>(0);
public User() {
}
public User(String username, String
password, boolean enabled) {
this.username =
username;
this.password =
password;
this.enabled = enabled;
}
public User(String username, String
password,
boolean enabled,
Set<UserRole> userRole) {
this.username =
username;
this.password =
password;
this.enabled = enabled;
this.userRole =
userRole;
}
@Id
@Column(name = "username",
unique = true,
nullable = false, length
= 45)
public String getUsername() {
return this.username;
}
public void
setUsername(String username) {
this.username =
username;
}
@Column(name = "password",
nullable = false, length
= 60)
public String getPassword() {
return this.password;
}
public void setPassword(String
password) {
this.password =
password;
}
@Column(name = "enabled",
nullable = false)
public boolean isEnabled() {
return this.enabled;
}
public void setEnabled(boolean
enabled) {
this.enabled = enabled;
}
@OneToMany(fetch = FetchType.LAZY,
mappedBy = "user")
public Set<UserRole>
getUserRole() {
return this.userRole;
}
public void
setUserRole(Set<UserRole> userRole) {
this.userRole =
userRole;
}
}
UserRole.Java CODE:-
package
com.ray.springsecurity.pojos.model;
import
java.io.Serializable;
import
static javax.persistence.GenerationType.IDENTITY;
import
javax.persistence.Column;
import
javax.persistence.Entity;
import
javax.persistence.FetchType;
import
javax.persistence.GeneratedValue;
import
javax.persistence.Id;
import
javax.persistence.JoinColumn;
import
javax.persistence.ManyToOne;
import
javax.persistence.Table;
import
javax.persistence.UniqueConstraint;
@Entity
@Table(name
= "user_roles", catalog = "springsecurity",
uniqueConstraints = @UniqueConstraint(
columnNames = {
"role", "username" }))
public class
UserRole implements Serializable{
private Integer userRoleId;
private User user;
private String role;
public UserRole() {
}
public UserRole(User user, String
role) {
this.user = user;
this.role = role;
}
@Id
@GeneratedValue(strategy = IDENTITY)
@Column(name =
"user_role_id",
unique = true, nullable =
false)
public
Integer getUserRoleId() {
return this.userRoleId;
}
public void setUserRoleId(Integer
userRoleId) {
this.userRoleId = userRoleId;
}
@ManyToOne(fetch = FetchType.LAZY)
@JoinColumn(name =
"username", nullable = false)
public User getUser() {
return this.user;
}
public void setUser(User user) {
this.user = user;
}
@Column(name = "role",
nullable = false, length = 45)
public String getRole() {
return this.role;
}
public void setRole(String role) {
this.role = role;
}
}
4.
Creating DataAccessObject (DAO) InterfaceFile
UserDao.java class File
Right click
com.ray.springsecurity.dao package-ànew-àJavaClassàGive class name UserDao -à click Finish.
UserDao.java File CODE:
package
com.ray.springsecurity.dao;
import
com.ray.springsecurity.pojos.model.User;
public
interface UserDao {
User findByUserName(String
username);
}
5. Creating DataAccessObject
(DAO)Class Implementation File
UserDaoImpl.java
File
Right click
com.ray.dao package-ànew-àJavaClassàGive class name UserDaoImpl -à click Finish.
UserDaoImpl.java File CODE:
package com.ray.springsecurity.dao;;
import
org.springframework.stereotype.Repository;
import
com.ray.springsecurity.pojos.model.User;
import
javax.persistence.EntityManager;
import
javax.persistence.PersistenceContext;
@Repository
public class
UserDaoImpl implements UserDao {
private EntityManager entityManager;
@SuppressWarnings("unchecked")
@Override
public User
findByUserName(String username) {
System.out.println("Name of the DAO user
is:-"+ username);
return entityManager.createQuery("from
User u where u.username = :username", User.class)
.setParameter("username", username)
.getSingleResult();
}
public EntityManager getEntityManager() {
return entityManager;
}
@PersistenceContext
public void setEntityManager(EntityManager
entityManager) {
this.entityManager = entityManager;
}
}
6. CustomUserDetailsService.java
Service File
Right click
com.ray.springsecurity.service package-ànew-àjavaclassàClass name àGive name CustomUserDetailsServiceàClick Finish
CustomUserDetailsService.java CODE:
package
com.ray.springsecurity.service;
import
java.util.ArrayList;
import
java.util.HashSet;
import
java.util.List;
import
java.util.Set;
import
org.springframework.beans.factory.annotation.Autowired;
import
org.springframework.security.core.GrantedAuthority;
import
org.springframework.security.core.authority.SimpleGrantedAuthority;
import
org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import
org.springframework.security.core.userdetails.UserDetailsService;
import
org.springframework.security.core.userdetails.UsernameNotFoundException;
import
org.springframework.stereotype.Service;
import
org.springframework.transaction.annotation.Transactional;
import
com.ray.springsecurity.dao.UserDao;
import
com.ray.springsecurity.pojos.model.UserRole;
@Service("CustomUserDetailsService")
public class
CustomUserDetailsService implements UserDetailsService {
@Autowired
UserDao userdao;
@Transactional(readOnly=true)
@Override
public UserDetails
loadUserByUsername(final String username) throws UsernameNotFoundException {
System.out.println("username
is:-" + username);
com.ray.springsecurity.pojos.model.User
user = userdao.findByUserName(username);
if (user==null){throw new
UsernameNotFoundException("No such user: " + username);
}else
if(user.getUserRole().isEmpty()){
throw new
UsernameNotFoundException("User" + username + "has no
authorities");
}
List<GrantedAuthority>
authorities = buildUserAuthority(user.getUserRole());
return
buildUserForAuthentication(user, authorities);
}
// Converts com.ray.springsecurity.pojos.model.User
user to
//
org.springframework.security.core.userdetails.User
private User
buildUserForAuthentication(com.ray.springsecurity.pojos.model.User user,
List<GrantedAuthority> authorities) {
return new
User(user.getUsername(), user.getPassword(), user.isEnabled(), true, true,
true, authorities);
}
private List<GrantedAuthority>
buildUserAuthority(Set<UserRole> userRoles) {
Set<GrantedAuthority> setAuths
= new HashSet<GrantedAuthority>();
// Build user's
authorities
for (UserRole userRole :
userRoles) {
setAuths.add(new
SimpleGrantedAuthority(userRole.getRole()));
}
List<GrantedAuthority>
Result = new ArrayList<GrantedAuthority>(setAuths);
return Result;
}
}
7.LoginAction.java Class File
Right click
com.ray.struts.actions package-ànew-àjavaclassàClass name àGive name LoginActionàClick Finish
LoginAction.java
CODE:
package
com.ray.struts.actions;
import
com.opensymphony.xwork2.ActionSupport;
import
java.util.Collection;
import
java.util.Iterator;
import
org.springframework.security.authentication.AnonymousAuthenticationToken;
import
org.springframework.security.core.Authentication;
import
org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import
org.springframework.security.core.userdetails.UserDetails;
/**
*
* @author Raichand
*/
class
MyAction extends ActionSupport{
public
static String ADMIN_SUCCESS = "admin_success";
public
static String USER_SUCCESS = "user_success";
}
public class
LoginAction extends ActionSupport{
private String username;
private String password;
private String Role;
@Override
public String execute() throws Exception {
Authentication auth =
SecurityContextHolder.getContext().getAuthentication();
if(!(auth
instanceof AnonymousAuthenticationToken)){
System.out.println(
SecurityContextHolder.getContext().getAuthentication().getPrincipal());
UserDetails
userDetails = (UserDetails)
SecurityContextHolder.getContext().getAuthentication().getPrincipal();
System.out.println("username:
" + userDetails.getUsername());
System.out.println("password:
" + userDetails.getPassword());
Collection<SimpleGrantedAuthority>
authorities = (Collection<SimpleGrantedAuthority>)
userDetails.getAuthorities();
for (Iterator it =
authorities.iterator(); it.hasNext();) {
SimpleGrantedAuthority authority =
(SimpleGrantedAuthority) it.next();
System.out.println("Role:
" + authority.getAuthority());
Role = authority.getAuthority();
}
}
if
(Role.equals("ROLE_ADMIN"))
{
return
MyAction.ADMIN_SUCCESS;
}
else if(Role.equals("ROLE_USER"))
{
return MyAction.USER_SUCCESS;
}
else
return ERROR;
}
public
String getRole() {
return Role;
}
public void
setRole(String Role) {
this.Role =
Role;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public void setPassword(String password) {
this.password = password;
}
public String getPassword() {
return password;
}
}
8. redirect.jsp File
<%@ page
language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE
html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<META
HTTP-EQUIV="Refresh" CONTENT="0;URL=login">
9.
login.jsp File
login.jsp code:
<%@page
contentType="text/html" pageEncoding="UTF-8"%>
<%@taglib
prefix="s" uri="/struts-tags" %>
<!DOCTYPE
html>
<html>
<body>
<h1>Struts2 - Spring Security
Demo</h1>
<s:if test="%{#parameters.error
!= null}">
<div style="color:
red">Invalid username or password!Please try again.</div>
</s:if>
<s:if
test="%{#parameters.logout != null}">
<div style="color:
green">You have been logged out successfully</div>
</s:if>
<s:form name="loginForm"
action="j_spring_security_check" method="post">
<s:textfield
name="username" label="Username" value=""
requiredLabel="UserName Required"/>
<s:password
name="password" label="Password"
requiredLabel="Password Required"/>
<s:checkbox label="Remember Me"
fieldValue="true" id="remember-me"
name="remember-me" />
<table
>
<tr >
<td colspan="2">
<s:submit
value="Login" align="right" theme="simple"
/><s:reset value="Reset" align="right" theme="simple" />
</td>
</tr>
</table>
<s:hidden
name="_csrf.parameterName" value="_csrf.token"/>
</s:form>
</body>
</html>
10. admin.jsp code:
<%@page contentType="text/html"
pageEncoding="UTF-8"%>
<%@page
session="true"%>
<!DOCTYPE
html>
<html>
<head>
<meta
http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<title>Admin Profile
Page</title>
</head>
<body>
<h1>Hello Admin
${pageContext.request.userPrincipal.name}</h1>
<a
href="logout">Logout</a>
</body>
</html>
11.userprofile.jsp Code
<%@page
contentType="text/html" pageEncoding="UTF-8"%>
<%@page
session="true"%>
<!DOCTYPE
html>
<html>
<head>
<meta
http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<title>User Profile
Page</title>
</head>
<body>
<h1>Hello User
${pageContext.request.userPrincipal.name}</h1>
<a
href="logout">Logout</a>
</body>
</html>
12. web.xml (Automatically
generated and modified later)
CODE:
<?xml
version="1.0" encoding="UTF-8"?>
<web-app
version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<listener
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-database.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>View/UnSecured/redirect.jsp</welcome-file>
</welcome-file-list>
</web-app>
13.spring-security.xml
CODE:
<?xml
version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http
auto-config="true" use-expressions="true"
request-matcher="regex" disable-url-rewriting="false">
<!-- Page level Spring
Security -->
<intercept-url
pattern="/admin" access="hasRole('ROLE_ADMIN')" />
<intercept-url
pattern="/View/UnSecured/*" access="permitAll" />
<intercept-url
pattern="/View/UnSecured/login" access="permitAll"/>
<intercept-url
pattern="/View/Secured/Admin/*"
access="hasRole('ROLE_ADMIN')"/>
<intercept-url
pattern="/View/Secured/User/*"
access="hasRole('ROLE_USER')"/>
<form-login
login-page="/login"
login-processing-url
="/j_spring_security_check"
username-parameter="username"
password-parameter="password"
default-target-url="/Applogin"
authentication-failure-url="/login?error"/>
<csrf
disabled="true"/>
<logout
invalidate-session="true"
logout-url
="/logout" logout-success-url="/login?logout"
delete-cookies="JSESSIONID,SPRING_SECURITY_REMEMBER_ME_COOKIE"/>
<logout logout-url
="/logout"/>
<logout
logout-success-url="/login?logout" />
<!--<remember-me key="springRocks"
services-ref="rememberMeServices" />-->
<remember-me key="springRocks"
services-ref="rememberMeServices"/>
</http>
<beans:bean
id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property
name="userDetailsService"
ref="customUserDetailsService"/>
</beans:bean>
<beans:bean
id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<beans:constructor-arg>
<beans:list>
<beans:ref
bean="daoAuthenticationProvider"/>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<!-- Authentication-manager Bean
-->
<!--
Set customUserDetailsService class as the authentication Manager for Spring
Security-->
<authentication-manager id="authenticationManager"
erase-credentials="false">
<authentication-provider
user-service-ref="customUserDetailsService">
<password-encoder
hash="plaintext"></password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id
="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name
="authenticationManager" ref="authenticationManager"/>
<beans:property name="filterProcessesUrl"
value="/login"/>
<beans:property
name="usernameParameter" value="username"/>
<beans:property
name="passwordParameter" value="password"/>
</beans:bean>
<!-- Bean remember me -->
<beans:bean
id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<beans:constructor-arg value
="springRocks"/>
<beans:constructor-arg ref
="customUserDetailsService"/>
<beans:property name="cookieName"
value ="remember-me"/>
<beans:property
name="parameter" value="remember-me-param" />
<beans:property
name="tokenValiditySeconds" value="1209600" />
<beans:property
name="alwaysRemember" value="true" />
</beans:bean>
<beans:bean
id="rememberMeAuthenticationProvider"
class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<beans:constructor-arg
value ="springRocks"/>
</beans:bean>
<beans:bean
id="rememberMeFilter"
class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
<beans:constructor-arg
ref="rememberMeServices" />
<beans:constructor-arg
ref="authenticationManager" />
</beans:bean>
</beans:beans>
14. spring-database.xml
CODE:
<?xml
version="1.0" encoding="UTF-8"?>
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
<!-- Package needed to be scanned for
annotation -->
<context:component-scan
base-package="com.ray" />
<!-- User DAO Declaration -->
<bean id="userdao"
class="com.ray.springsecurity.dao.UserDaoImpl"></bean>
<!-- Data Source Declaration
-->
<bean id="DataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property
name="driverClassName" value="com.mysql.jdbc.Driver" />
<property
name="url"
value="jdbc:mysql://localhost:3306/springsecurity" />
<property
name="username" value="root" />
<property
name="password" value="" />
</bean>
<bean
class="com.ray.springsecurity.service.CustomUserDetailsService"
id="customUserDetailsService"></bean>
<!-- EntityManagerFactory -->
<!-- This produces a container-managed
EntityManagerFactory;
rather than application-managed
EntityManagerFactory as in case of LocalEntityManagerFactoryBean-->
<bean id="entityManagerFactory"
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="dataSource"
ref="DataSource" />
<!-- This makes
/META-INF/persistence.xml is no longer necessary -->
<property name="packagesToScan"
value="com.ray.springsecurity.pojos.model" />
<!-- JpaVendorAdapter implementation
for Hibernate EntityManager.
Exposes Hibernate's persistence
provider and EntityManager extension interface -->
<property name="jpaVendorAdapter">
<bean
class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"
/>
</property>
<property
name="jpaProperties">
<props>
<prop
key="hibernate.hbm2ddl.auto">validate</prop>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQL5Dialect</prop>
</props>
</property>
</bean>
<!-- This transaction manager is
appropriate for applications that use a single JPA EntityManagerFactory for
transactional data access.
JTA (usually through
JtaTransactionManager) is necessary for accessing multiple transactional
resources within the same transaction. -->
<bean id="transactionManager"
class="org.springframework.orm.jpa.JpaTransactionManager">
<property name="entityManagerFactory"
ref="entityManagerFactory" />
</bean>
<!-- responsible for registering the
necessary Spring components that power annotation-driven transaction
management;
such as when @Transactional methods are
invoked -->
<tx:annotation-driven />
</beans>
15.struts.xml
<!DOCTYPE
struts PUBLIC
"-//Apache
Software Foundation//DTD Struts Configuration 2.0//EN"
"http://struts.apache.org/dtds/struts-2.0.dtd">
<struts>
<package name="default"
extends="struts-default" >
<action name="Applogin"
class="com.ray.struts.actions.LoginAction"
method="execute">
<result
name="admin_success">/View/Secured/Admin/admin.jsp</result>
<result
name="user_success">/View/Secured/User/userprofile.jsp</result>
<result
name="error">/View/UnSecured/403.jsp</result>
</action>
<action
name="login">
<result>/View/UnSecured/login.jsp</result>
</action>
<action
name="loginfailed">
<result>/View/UnSecured/login.jsp?error=true</result>
</action>
<action name="/logout">
<result>/View/UnSecured/login.jsp</result>
</action>
</package>
</struts>
Login.jsp page
When logged with wrong username or
password below page is displayed.
User alex is logging in
userprofile.jsp
is displayed after user alex has logged in
User
alex has Logged out
Admin
raichand70 is logging in
Admin
raichand70 has successfully logged in so admin.jsp is displayed.
Admin raichand70 has successfully
logged out.
Hi,
ReplyDeleteFor Struts,Hibernate CRUD look at blogpost at URL
http://www.c-sharpcorner.com/article/java-struts2-and-hibernate4-curd-with-mysql-with-pagination-sorting-and-export/
Thank you
Raichand