Spring Security

The Spring Security Namespace configuration is made up of the following two namespaces:

  • Web Application Security namespace (<http>) – defines protected urls
  • Authentication Services namespace – defines beans that will be used to authenticate users

Web Application Security (<http>)
After setting up web.xml, we use the <http> element to secure resources, ex:

  <http auto-config='true'>
    <intercept-url pattern="/**" access="ROLE_USER" />

Authentication Services
Next we need a <authentication-manager> and one or more nested <authentication-provider>. A basic example is:

    <jdbc-user-service data-source-ref="securityDataSource"/>

An AuthenticationProvider is an interface with one method: authenticate(). By default <authentication-provider> creates a DaoAuthenticationProvider (a bean that retrieves its user details from a UserDetailsService object). The UserDetailsService object is abstract, but an implementation can be created using <jdbc-user-service> () and requires a data-source-ref to a database with Spring Security user-data-tables.

Database Schema

username (PK)

fk_authorities_users (FK to users.username)

We can use <jdbc-user-service> if we want to load user details from a database table which follows spring convention, or a JdbcDaoImpl if we want to customize our tables.

Another useful setup is the following InMemoryDaoImpl configuration:

      <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
      <user name="bob" password="bobspassword" authorities="ROLE_USER" />

Password Encryption
Passwords should be encrypted, a BCryptPasswordEncoder implementation is provided:


    <password-encoder ref="bcryptEncoder"/>

UML Diagram
I created the following UML diagram to help me understand the relationships between the Spring Security classes: https://drive.google.com/file/d/0B1BmcF3igxYSM2RoQjJOVWRYVWc/edit?usp=sharing


Tagged with: ,
Posted in Spring, Spring Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: