Scaffolding Spring Security
This tutorial walks you through adding Spring Security to an existing web application. Scaffolding Spring security requires a MyEclipse Spring or Bling subscription. In this tutorial, you will learn how to:
- Scaffold Spring security
- Deploy the application
Duration Time: 20 Minutes
Don't have MyEclipse? Download Now
- Create a scaffolded CustomersApp project.
- Right-click CustomersApp, and select MyEclipse>Scaffold Spring Security.
- Click Next on the Introduction page.
- Select the In Memory security type for bootstrapping, and click Next.
While it's uncommon to use the in-memory security realm in production applications, it's a great security realm to use during development because it doesn't require integration with an LDAP system or database system. The in-memory security realm is the quickest way to introduce authentication and authorization, and it can be replaced with a more robust security realm at a later time (i.e., during testing or for production).
- Accept the selected Spring services and DAOs, and click Next.
Spring services (@Service) and DAOs (@Repository) discovered in the project are listed. By default all discovered Spring services and DAOs are secured upon completion of the wizard, but you have the option of deselecting the items that don't need to be secured and/or changing the access attribute for the service.
- Accept the default secured URLs, and click Next. You can add and remove URL patterns as needed by using Add and Remove.
- Accept the default security views, and click Next.
- Accept the default locations for generated files (source code, configuration files, JSP, etc...), and click Next. By default, the Spring context files are generated to the /resources folder, and the JSP pages are generated to the /webRoot folder.
- Click Finish on the summary page.
Note: If you want to use the Spring DSL, then you need enable the project for Spring DSL support prior to scaffolding. See Enable Spring DSL for more information.
If you expand the project, you see that several JSP pages were generated into the WebRoot folder. The JSP pages contain custom login and log out implementations that can be customized or rebranded. The applicationContext.xml includes the list of secured services and URLs.
- Right-click CustomersApp, and select Run As>MyEclipse Server Application. Select the MyEclipse Tomcat server.
The dashboard page has a Login button to proactively login into the application. However, the application has been configured to automatically direct users to the login when they access a secured resource.
- Click View Customers to see what happens when a secured resource is accessed.
- Log in in using admin for the user and admin for the password.
Since the View Customers page uses a Spring service and DAO that is secured, the user is directed to the Login page. While Spring Security has a default Login page, the application is using a custom Login page generated by the scaffolding wizard to match the look-and-feel of the scaffolded application.
Because you are using the in-memory security realm, the user accounts (including username and password) are configured in the security context file (CustomersApp-security-context.xml). You change accounts and their associated roles by editing the context file.
After a successful login, the user is redirected to the original page (protected resource) they tried to access. Notice the header shows a welcome message with the user ID and a Logout button.