Scaffolding Spring Security

This tutorial walks you through adding Spring Security to an existing web application. In this tutorial, you will learn how to:

  • Scaffold Spring security
  • Deploy the application

Scaffolding Spring requires a MyEclipse Spring or Bling subscription.

1. Scaffold Spring Security

  1. Create a scaffolded CustomersApp project.
  2. Right-click CustomersApp, and select MyEclipse>Scaffold Spring Security.

    Scaffolding Spring security
  3. Click Next on the Introduction page.

    Introduction page
  4. Select the In Memory security type for bootstrapping, and click Next.

    While it’s uncommon to use the  in-memory security realm in production applications, it’s a great security  realm to use during development because it doesn’t require integration  with an LDAP system or database system. The in-memory security realm is  the quickest way to introduce authentication and authorization, and it can  be replaced with a more robust security realm at a later time (i.e., during  testing or for production).

    Selecting the security type
  5. Accept the selected Spring services and DAOs, and click Next.

    Spring services (@Service) and DAOs (@Repository) discovered in the project are listed. By default all discovered Spring services and DAOs are secured upon completion of the wizard, but you have the option of deselecting the items that don’t need to be secured and/or changing the access attribute for the service.

    Selecting secure services
  6. Accept the default secured URLs, and click Next. You can add and remove URL patterns as needed by using Add and Remove.

    Specifying secure URLs
  7. Accept the default security views, and click Next.

    Configured views
  8. Accept the default locations for generated files (source code, configuration files, JSP, etc…), and click Next. By default, the Spring context files are generated to the /resources folder, and the JSP pages are generated to the /webRoot folder.

    Selecting target folders
  9. Click Finish on the summary page.

    Summary page
Note: If you want to use the Spring DSL, then you need enable the project for Spring DSL support prior to scaffolding. See Enable Spring DSL for more information.

2. Review scaffolding

If you expand the project, you see that several JSP pages were generated into the WebRoot folder. The JSP pages contain custom login and log out implementations that can be customized or rebranded. The applicationContext.xml includes the list of secured services and URLs.

Generated scaffolding

3. Deploy the App

  1. Right-click CustomersApp, and select Run As>MyEclipse Server Application. Select the MyEclipse Tomcat server.

    Deploying the application

    The dashboard page has a Login button to proactively login into the application. However, the application has been configured to automatically direct users to the login when they access a secured resource.
  2. Click View Customers to see what happens when a secured resource is accessed.

  3.  Log in in using admin for the user and admin for the password. 

    Since the View Customers page uses a Spring service and DAO that is secured, the user is directed to the Login page. While Spring Security has a default Login page, the application is using a custom Login page generated by the scaffolding wizard to match the look-and-feel of the scaffolded application.

    Login page

Because you are using the in-memory security realm, the user accounts (including username and password) are configured in the security context file (CustomersApp-security-context.xml). You change accounts and their associated roles by editing the context file.

After a successful login, the user is redirected to the original page (protected resource) they tried to access. Notice the header shows a welcome message with the user ID and a Logout button.

Customer app