Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add Spring Boot Hello World guide 

Add Spring Boot Hello World Guide

Fixes gh-3866
This commit is contained in:
Joe Grandja 2016-05-13 15:05:29 -04:00 committed by Rob Winch
parent c261975be0
commit 66980e827c
25 changed files with 708 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/docs.gradle
View File

@ -18,6 +18,8 @@ project('manual') {
asciidoctor {
backends = ['docbook5']
def ghTag = snapshotBuild ? 'master' : project.version
def ghUrl = "https://github.com/spring-projects/spring-security/tree/$ghTag"
options = [
eruby: 'erubis',
attributes: [
@ -33,6 +35,8 @@ project('manual') {
'spring-security-version' : project.version,
'spring-version' : springVersion,
revnumber : project.version,
'gh-url': ghUrl,
'gh-samples-url': "$ghUrl/samples",
docinfo : ""
]
]

21
docs/guides/src/docs/asciidoc/_hello-includes/exploring-the-secured-application-boot.asc Normal file
View File

@ -0,0 +1,21 @@
=== Exploring the secured application
Start the application as we did in <<running-the-{starter-appname}-application>>
Navigate to http://localhost:8080/ and click on the *_secured pages_* link and you will be prompted to login.
==== Authenticating to the secured application
Try entering an invalid username and password:
* *Username* _invalid_
* *Password* _invalid_
You should see an error message stating that authentication failed. Now try entering a valid username and password:
* *Username* _user_
* *Password* _password_
You should now see the page that we wanted to secure.
NOTE: The reason we can successfully authenticate with *Username* _user_ and *Password* _password_ is because that is what we configured in our <<security-config-java,SecurityConfig>>.

118
docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-boot.asc Normal file
View File

@ -0,0 +1,118 @@
== Securing the application
Before securing the application, it is important to ensure that the existing application works as we did in <<running-the-{starter-appname}-application>>. Now that the application runs without security, we are ready to add security to our application. This section demonstrates the minimal steps to add Spring Security to our application.
=== Updating your dependencies
include::../{include-maven-repository}[]
In order to use Spring Security you must add the necessary dependencies. For the sample we will add the following Spring Security dependencies:
.pom.xml
[source,xml]
[subs="verbatim,attributes"]
----
<dependencies>
<!-- ... other dependency elements ... -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>{spring-security-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>{spring-security-version}</version>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId> <1>
<version>2.1.2.RELEASE</version>
</dependency>
</dependencies>
----
<1> We are using http://www.thymeleaf.org/[Thymeleaf] for our view template engine
and need to add an additional dependency for the https://github.com/thymeleaf/thymeleaf-extras-springsecurity[Thymeleaf - Spring Security integration module].
After you have completed this, you need to ensure that STS knows about the updated dependencies by:
* Right click on the _spring-security-samples-{starter-config-type}-{starter-appname}_ application
* Select *Maven->Update project...*
* Ensure the project is selected, and click *OK*
=== Creating your Spring Security configuration
The next step is to create a Spring Security configuration.
* Right click the _spring-security-samples-{starter-config-type}-{starter-appname}_ project in the Package Explorer view
* Select *New->Class*
* Enter _org.springframework.security.samples.config_ for the *Package*
* Enter _SecurityConfig_ for the *Name*
* Click *Finish*
* Replace the file with the following contents:
[[security-config-java]]
.src/main/java/org/springframework/security/samples/config/SecurityConfig.java
[source,java]
----
package org.springframework.security.samples.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/css/**", "/index").permitAll() <1>
.antMatchers("/user/**").hasRole("USER") <2>
.and()
.formLogin()
.loginPage("/login").failureUrl("/login-error"); <3>
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
----
<1> requests matched against _/css/**_ and _/index_ are fully accessible
<2> requests matched against _/user/**_ require a user to be authenticated and must be associated to the _USER_ role
<3> form-based authentication is enabled with a custom login page and failure url
NOTE: The name of the configureGlobal method is not important. However, it is important to only configure AuthenticationManagerBuilder in a class annotated with either `@EnableWebSecurity`, `@EnableGlobalMethodSecurity`, or `@EnableGlobalAuthentication`. Doing otherwise has unpredictable results.
[[servlet-api-integration]]
The <<security-config-java,SecurityConfig>> will:
* Require authentication to requests matched against _/user/**_
* Specifies the URL to send users to for form-based login
* Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication
* Allow the user to logout
* http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
* http://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
* Security Header integration
** http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
** http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
** Cache Control (can be overridden later by your application to allow caching of your static resources)
** http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
** X-Frame-Options integration to help prevent http://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
* Integrate with the following Servlet API methods
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]

41
docs/guides/src/docs/asciidoc/_includes/setting-up-the-sample-boot.asc Normal file
View File

@ -0,0 +1,41 @@
////
Variables:
starter-appname: the name of the module users should start with to complete the exercise
starter-config-type: the type of configuration the starter sample uses: javaconfig, xml, boot
completed-appname: the name of the module that contains the completed application
completed-config-type: the type of configuration the completed sample uses: javaconfig, xml, boot
download-url: the URL to download the Spring Security distribution
////
== Setting up the sample
This section outlines how to setup a workspace within https://spring.io/tools/sts[Spring Tool Suite (STS)] so that you can follow along with this guide. The next section outlines generic steps for how to apply Spring Security to your existing application. While you could simply apply the steps to your existing application, we encourage you to follow along with this guide in order to reduce the complexity.
=== Obtaining the sample project
Extract the {download-url}[Spring Security Distribution] to a known location and remember it as _SPRING_SECURITY_HOME_.
=== Import the {starter-appname} sample application
In order to follow along, we encourage you to import the {starter-appname} sample application into your IDE. You may use any IDE you prefer, but the instructions in this guide will assume you are using Spring Tool Suite (STS).
TIP: The completed sample application can be found at _SPRING_SECURITY_HOME_/samples/{completed-config-type}/{completed-appname}
* If you do not have STS installed, download STS from https://spring.io/tools
* Start STS and import the sample application into STS using the following steps:
** *File->Import*
** *Existing Maven Projects*
** Click *Next >*
** Click *Browse...*
** Navigate to the samples (i.e. _SPRING_SECURITY_HOME_/samples/{starter-config-type}/{starter-appname}) and click *OK*
** Click *Finish*
=== Running the {starter-appname} application
In the following exercise we will be modifying the _spring-security-samples-{starter-config-type}-{starter-appname}_ application. Before we make any changes, it is best to verify that the sample works properly. Perform the following steps to ensure that _spring-security-samples-{starter-config-type}-{starter-appname}_ works.
* Right click on the _spring-security-samples-{starter-config-type}-{starter-appname}_ application
* Select *Run As->Spring Boot App*

10
docs/guides/src/docs/asciidoc/form.asc → docs/guides/src/docs/asciidoc/form-javaconfig.asc
View File

@ -1,10 +1,12 @@
= Creating a Custom Login Form
:author: Rob Winch
:starter-appname: javaconfig/hellomvc
:completed-appname: javaconfig/form
:starter-appname: hellomvc
:starter-config-type: javaconfig
:completed-appname: form
:completed-config-type: javaconfig
:include-dir: _includes
This guide builds off of link:hellomvc.html[Hello Spring MVC Security Java Config] to explain how to configure and use a custom login form with Spring Security Java Configuration.
This guide builds off of link:hellomvc-javaconfig.html[Hello Spring MVC Security Java Config] to explain how to configure and use a custom login form with Spring Security Java Configuration.
include::{include-dir}/setting-up-the-sample.asc[]
@ -17,7 +19,7 @@ Verify the application is working:
= Overriding the default configure(HttpSecurity) method
As we saw in link:hellomvc.html[Hello Spring MVC Security Java Config], Spring Security's `WebSecurityConfigurerAdapter` provides some convenient defaults to get our application
As we saw in link:hellomvc-javaconfig.html[Hello Spring MVC Security Java Config], Spring Security's `WebSecurityConfigurerAdapter` provides some convenient defaults to get our application
up and running quickly. However, our login form does not look like the rest of our application. Let's see how we can update our configuration to use a custom form.
== Default configure(HttpSecurity)

14
docs/guides/src/docs/asciidoc/hellomvc.asc → docs/guides/src/docs/asciidoc/hellomvc-javaconfig.asc
View File

@ -1,7 +1,9 @@
= Hello Spring MVC Security Java Config
:author: Rob Winch
:starter-appname: insecuremvc
:completed-appname: javaconfig/hellomvc
:starter-config-type: xml
:completed-appname: hellomvc
:completed-config-type: javaconfig
:include-dir: _includes
:hello-include-dir: _hello-includes
@ -16,13 +18,13 @@ Verify the application is working:
* Now click on the Inbox link and see the message listed. You can click on the summary link to see the details displayed again.
include::{hello-include-dir}/secure-the-application.asc[]
include::{hello-include-dir}/secure-the-application-javaconfig.asc[]
=== Registering Spring Security with the war
We have created the Spring Security configuration, but we still need to register it with the war. This can be done using the following steps:
* Right click the _spring-security-samples-{starter-appname}_ project the Package Explorer view
* Right click the _spring-security-samples-{starter-config-type}-{starter-appname}_ project the Package Explorer view
* Select *New->Class*
* Enter _org.springframework.security.samples.config_ for the *Package*
* Enter MessageSecurityWebApplicationInitializer for the *Name*
@ -79,7 +81,7 @@ The `@ComponentScan` is loading all configuration within the same package (and c
NOTE: Had <<security-config-java,SecurityConfig>> not been loaded, we could have used an `@Import(SecurityConfig.class)` above the class definition of <<root-configuration-java,RootConfiguration>> or added <<security-config-java,SecurityConfig>> as one of the results for `getRootConfigClasses()`.
include::{hello-include-dir}/exploring-the-secured-application.asc[]
include::{hello-include-dir}/exploring-the-secured-application-javaconfig.asc[]
==== Displaying the user name
@ -116,10 +118,10 @@ In order to help protect against http://en.wikipedia.org/wiki/Cross-site_request
* the HTTP method must be a POST
* the CSRF token must be added to the request. Since we have used `@EnableWebSecurity` and are using Thymeleaf, the CSRF token is automatically added as a hidden input for you (view the source to see it).
NOTE: If you were not using Spring MVC taglibs or Thymeleaf, you can access the CsrfToken on the ServletRequest using the attribute _csrf. You can find an example of including the CSRF token in a JSP within the link:helloworld.html[Hello Spring Security Java Config].
NOTE: If you were not using Spring MVC taglibs or Thymeleaf, you can access the CsrfToken on the ServletRequest using the attribute _csrf. You can find an example of including the CSRF token in a JSP within the link:helloworld-javaconfig.html[Hello Spring Security Java Config].
Restart the application server and click the Log out button and see that the application logs you out successfully.
== Conclusion
You should now know how to secure your application using Spring Security without using any XML. Next, we will see how to link:form.html[customize our login form].
You should now know how to secure your application using Spring Security without using any XML. Next, we will see how to link:form-javaconfig.html[customize our login form].

97
docs/guides/src/docs/asciidoc/helloworld-boot.asc Normal file
View File

@ -0,0 +1,97 @@
= Hello Spring Security with Boot
:author: Joe Grandja
:starter-appname: insecure
:starter-config-type: boot
:completed-appname: helloworld
:completed-config-type: boot
:include-dir: _includes
:hello-include-dir: _hello-includes
This guide provides instructions on how to add Spring Security to an existing Spring Boot application.
include::{include-dir}/setting-up-the-sample-boot.asc[]
Verify the application is working by navigating to http://localhost:8080/
Click on the *_secured pages_* link and verify the page states *TODO Secure this*
Once you have verified the application runs, stop the application server using the following steps:
* In the _Boot Dashboard_ view select the running application
* Click the stop button (a red square) to stop the application
include::{hello-include-dir}/secure-the-application-boot.asc[]
include::{hello-include-dir}/exploring-the-secured-application-boot.asc[]
==== Displaying the user name
Now that we have authenticated, let's update the application to display the username. Update the complete content of */index.html* with the following:
.src/main/resources/templates/index.html
[source,html]
----
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
<head>
<title>Hello Spring Security</title>
<meta charset="utf-8" />
<link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
</head>
<body>
<div th:fragment="logout" class="logout" sec:authorize="isAuthenticated()"> <1>
Logged in user: <span sec:authentication="name"></span> | <2>
Roles: <span sec:authentication="principal.authorities"></span> <3>
<div>
<form action="#" th:action="@{/logout}" method="post"> <4>
<input type="submit" value="Logout" />
</form>
</div>
</div>
<h1>Hello Spring Security</h1>
<p>This is an unsecured page, but you can access the secured pages after authenticating.</p>
<ul>
<li>Go to the <a href="/user/index" th:href="@{/user/index}">secured pages</a></li>
</ul>
</body>
</html>
----
NOTE: We are using http://www.thymeleaf.org/[Thymeleaf] for our view template engine and
https://github.com/thymeleaf/thymeleaf-extras-springsecurity[Thymeleaf - Spring Security integration modules]
in order to utilize the _sec:authentication_ and _sec:authorize_ attributes.
<1> Displays the Thymeleaf fragment (DOM Node) if the current user has been authenticated.
<2> Displays the name of the currently authenticated principal.
<3> Displays the authorities of the currently authenticated principal.
<4> The logout form.
TIP: Thymeleaf will automatically add the CSRF token to our logout form. If we were not using Thymleaf or Spring MVCs taglib we could also manually add the CSRF token using `<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>`.
==== Update the _secured_ page
The last step is to update the _secured_ page to also display the currently authenticated principal. Update the complete content of */user/index.html* with the following:
.src/main/resources/templates/user/index.html
[source,html]
----
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
<head>
<title>Hello Spring Security</title>
<meta charset="utf-8" />
<link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
</head>
<body>
<div th:substituteby="index::logout"></div>
<h1>This is a secured page!</h1>
<p><a href="/index" th:href="@{/index}">Back to home page</a></p>
</body>
</html>
----
Start up the server and try visiting http://localhost:8080/ to see the updates to our application.
== Conclusion
You should now know how to secure your application using Spring Security with an existing Spring Boot application . To learn more refer to the link:index.html[Spring Security Guides index page].

7
docs/guides/src/docs/asciidoc/index.asc
View File

@ -1,5 +1,5 @@
= Spring Security Guides
Rob Winch
Rob Winch, Joe Grandja
These are step by step guides on how to use Spring Security.
@ -8,9 +8,10 @@ These are step by step guides on how to use Spring Security.
These are the most basic starting points for using a web based application.
* link:helloworld-javaconfig.html[Hello Spring Security Java Config] - demonstrates how to integrate Spring Security with an existing application using Java-based configuration
* link:helloworld-boot.html[Hello Spring Security with Boot] - demonstrates how to integrate Spring Security with an existing Spring Boot application
* link:helloworld-xml.html[Hello Spring Security Xml Config] - demonstrates how to integrate Spring Security with an existing application using Xml-based configuration
* link:hellomvc.html[Hello Spring MVC Security Java Config] - demonstrates how to integrate Spring Security with an existing Spring MVC application
* link:hellomvc-javaconfig.html[Hello Spring MVC Security Java Config] - demonstrates how to integrate Spring Security with an existing Spring MVC application
== Simple Customization
* link:form.html[Creating a custom login form] - demonstrates how to create a custom login form
* link:form-javaconfig.html[Creating a custom login form] - demonstrates how to create a custom login form

31
docs/manual/src/docs/asciidoc/index.adoc
View File

@ -409,6 +409,37 @@ Here is the list of improvements:
* Re-organization of sample projects
* Moved to GitHub issues
[[samples]]
== Samples and Guides (Start Here)
If you are looking to get started with Spring Security, the best place to start is our Sample Applications.
.Sample Applications
|===
| Source | Description | Guide
| {gh-samples-url}/javaconfig/helloworld[Hello Spring Security]
| Demonstrates how to integrate Spring Security with an existing application using Java-based configuration.
| link:../../guides/html5/helloworld-javaconfig.html[Hello Spring Security Guide]
| {gh-samples-url}/boot/helloworld[Hello Spring Security Boot]
| Demonstrates how to integrate Spring Security with an existing Spring Boot application.
| link:../../guides/html5/helloworld-boot.html[Hello Spring Security Boot Guide]
| {gh-samples-url}/xml/helloworld[Hello Spring Security XML]
| Demonstrates how to integrate Spring Security with an existing application using XML-based configuration.
| link:../../guides/html5/helloworld-xml.html[Hello Spring Security XML Guide]
| {gh-samples-url}/javaconfig/hellomvc[Hello Spring MVC Security]
| Demonstrates how to integrate Spring Security with an existing Spring MVC application.
| link:../../guides/html5/hellomvc-javaconfig.html[Hello Spring MVC Security Guide]
| {gh-samples-url}/javaconfig/form[Custom Login Form]
| Demonstrates how to create a custom login form.
| link:../../guides/html5/form-javaconfig.html[Custom Login Form Guide]
|===
[[jc]]
== Java Configuration

14
samples/boot/helloworld/pom.xml
View File

@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-boot-helloworld</artifactId>
<version>4.1.0.RELEASE</version>
<version>4.1.1.BUILD-SNAPSHOT</version>
<name>spring-security-samples-boot-helloworld</name>
<description>spring-security-samples-boot-helloworld</description>
<url>http://spring.io/spring-security</url>
@ -55,13 +55,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.1.0.RELEASE</version>
<version>4.1.1.BUILD-SNAPSHOT</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.1.0.RELEASE</version>
<version>4.1.1.BUILD-SNAPSHOT</version>
<scope>compile</scope>
</dependency>
<dependency>
@ -115,7 +115,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>4.1.0.RELEASE</version>
<version>4.1.1.BUILD-SNAPSHOT</version>
<scope>test</scope>
</dependency>
<dependency>
@ -124,6 +124,12 @@
<scope>test</scope>
</dependency>
</dependencies>
<repositories>
<repository>
<id>spring-snapshot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<build>
<plugins>
<plugin>

8
samples/boot/helloworld/src/integration-test/java/org/springframework/security/samples/HelloWorldApplicationTests.java
View File

@ -76,7 +76,7 @@ public class HelloWorldApplicationTests {
@Test
public void loginUser() throws Exception {
this.mockMvc.perform(formLogin().user("user1").password("password1"))
this.mockMvc.perform(formLogin().user("user").password("password"))
.andExpect(authenticated());
}
@ -89,7 +89,7 @@ public class HelloWorldApplicationTests {
@Test
public void loginUserAccessProtected() throws Exception {
MvcResult mvcResult = this.mockMvc.perform(formLogin().user("user1").password("password1"))
MvcResult mvcResult = this.mockMvc.perform(formLogin().user("user").password("password"))
.andExpect(authenticated())
.andReturn();
@ -102,7 +102,7 @@ public class HelloWorldApplicationTests {
@Test
public void loginUserValidateLogout() throws Exception {
MvcResult mvcResult = this.mockMvc.perform(formLogin().user("user1").password("password1"))
MvcResult mvcResult = this.mockMvc.perform(formLogin().user("user").password("password"))
.andExpect(authenticated())
.andReturn();
@ -117,4 +117,4 @@ public class HelloWorldApplicationTests {
.andExpect(unauthenticated())
.andExpect(status().is3xxRedirection());
}
}
}

2
samples/boot/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
View File

@ -44,7 +44,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user1").password("password1").roles("USER");
.withUser("user").password("password").roles("USER");
}
// @formatter:on
}

2
samples/boot/helloworld/src/main/resources/application.yml
View File

@ -9,4 +9,4 @@ logging:
spring:
thymeleaf:
cache: true
cache: false

5
samples/boot/helloworld/src/main/resources/templates/index.html
View File

@ -10,9 +10,8 @@
Logged in user: <span sec:authentication="name"></span> |
Roles: <span sec:authentication="principal.authorities"></span>
<div>
<form action="/logout" method="post">
<form action="#" th:action="@{/logout}" method="post">
<input type="submit" value="Logout" />
<input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
</form>
</div>
</div>
@ -22,4 +21,4 @@
<li>Go to the <a href="/user/index" th:href="@{/user/index}">secured pages</a></li>
</ul>
</body>
</html>
</html>

2
samples/boot/helloworld/src/main/resources/templates/login.html
View File

@ -7,7 +7,7 @@
</head>
<body>
<h1>Login page</h1>
<p>Example user: user1 / password1</p>
<p>Example user: user / password</p>
<p th:if="${loginError}" class="error">Wrong user or password</p>
<form th:action="@{/login}" method="post">
<label for="username">Username</label>:

12
samples/boot/insecure/build.gradle Normal file
View File

@ -0,0 +1,12 @@
apply from: BOOT_SAMPLE_GRADLE
springBoot {
mainClass = 'org.springframework.security.samples.InsecureApplication'
}
dependencies {
compile "org.springframework.boot:spring-boot-starter-web:1.3.3.RELEASE",
"org.springframework.boot:spring-boot-starter-thymeleaf:1.3.3.RELEASE"
testCompile "org.springframework.boot:spring-boot-starter-test:1.3.3.RELEASE"
}

123
samples/boot/insecure/pom.xml Normal file
View File

@ -0,0 +1,123 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-boot-insecure</artifactId>
<version>4.1.1.BUILD-SNAPSHOT</version>
<name>spring-security-samples-boot-insecure</name>
<description>spring-security-samples-boot-insecure</description>
<url>http://spring.io/spring-security</url>
<organization>
<name>spring.io</name>
<url>http://spring.io/</url>
</organization>
<licenses>
<license>
<name>The Apache Software License, Version 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
<distribution>repo</distribution>
</license>
</licenses>
<developers>
<developer>
<id>rwinch</id>
<name>Rob Winch</name>
<email>rwinch@gopivotal.com</email>
</developer>
</developers>
<scm>
<connection>scm:git:git://github.com/spring-projects/spring-security</connection>
<developerConnection>scm:git:git://github.com/spring-projects/spring-security</developerConnection>
<url>https://github.com/spring-projects/spring-security</url>
</scm>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
<version>1.3.3.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>1.3.3.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.1.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.assertj</groupId>
<artifactId>assertj-core</artifactId>
<version>2.2.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.7.7</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<version>1.3.3.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<repositories>
<repository>
<id>spring-snapshot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<build>
<plugins>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.7</source>
<target>1.7</target>
</configuration>
</plugin>
</plugins>
</build>
</project>

58
samples/boot/insecure/src/integration-test/java/org.springframework.security.samples/InsecureApplicationTests.java Normal file
View File

@ -0,0 +1,58 @@
/*
* Copyright 2012-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.samples;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.SpringApplicationConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.context.web.WebAppConfiguration;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
*
* @author Joe Grandja
*/
@RunWith(SpringJUnit4ClassRunner.class)
@SpringApplicationConfiguration(InsecureApplication.class)
@WebAppConfiguration
public class InsecureApplicationTests {
@Autowired
private WebApplicationContext context;
private MockMvc mockMvc;
@Before
public void setup() {
mockMvc = MockMvcBuilders
.webAppContextSetup(context)
.build();
}
@Test
public void accessUnprotected() throws Exception {
this.mockMvc.perform(get("/index")).andExpect(status().isOk());
}
}

32
samples/boot/insecure/src/main/java/org/springframework/security/samples/InsecureApplication.java Normal file
View File

@ -0,0 +1,32 @@
/*
* Copyright 2012-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.samples;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
/**
* @author Joe Grandja
*/
@SpringBootApplication
public class InsecureApplication {
public static void main(String[] args) {
SpringApplication.run(InsecureApplication.class, args);
}
}

61
samples/boot/insecure/src/main/java/org/springframework/security/samples/web/MainController.java Normal file
View File

@ -0,0 +1,61 @@
/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.samples.web;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
/**
* @author Joe Grandja
*/
@Controller
public class MainController {
@RequestMapping("/")
public String root() {
return "redirect:/index";
}
@RequestMapping("/index")
public String index() {
return "index";
}
@RequestMapping("/user/index")
public String userIndex() {
return "user/index";
}
@RequestMapping(value = "/login")
public String login() {
return "login";
}
@RequestMapping(value = "/login", method = RequestMethod.POST)
public String postLogin() {
// TODO Enable form login with Spring Security (trigger error for now)
return "redirect:/login-error";
}
@RequestMapping("/login-error")
public String loginError(Model model) {
model.addAttribute("loginError", true);
return "login";
}
}

11
samples/boot/insecure/src/main/resources/application.yml Normal file
View File

@ -0,0 +1,11 @@
server:
port: 8080
logging:
level:
root: WARN
org.springframework.web: INFO
spring:
thymeleaf:
cache: false

13
samples/boot/insecure/src/main/resources/static/css/main.css Normal file
View File

@ -0,0 +1,13 @@
body {
font-family: sans;
font-size: 1em;
}
p.error {
font-weight: bold;
color: red;
}
div.logout {
float: right;
}

15
samples/boot/insecure/src/main/resources/templates/index.html Normal file
View File

@ -0,0 +1,15 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
<head>
<title>Hello Spring Security</title>
<meta charset="utf-8" />
<link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
</head>
<body>
<h1>Hello Spring Security</h1>
<p>This is an unsecured page, but you can access the secured pages after authenticating.</p>
<ul>
<li>Go to the <a href="/user/index" th:href="@{/user/index}">secured pages</a></li>
</ul>
</body>
</html>

21
samples/boot/insecure/src/main/resources/templates/login.html Normal file
View File

@ -0,0 +1,21 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
<head>
<title>Login page</title>
<meta charset="utf-8" />
<link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
</head>
<body>
<h1>Login page</h1>
<p>Example user: user / password</p>
<p th:if="${loginError}" class="error">Wrong user or password</p>
<form th:action="@{/login}" method="post">
<label for="username">Username</label>:
<input type="text" id="username" name="username" autofocus="autofocus" /> <br />
<label for="password">Password</label>:
<input type="password" id="password" name="password" /> <br />
<input type="submit" value="Log in" />
</form>
<p><a href="/index" th:href="@{/index}">Back to home page</a></p>
</body>
</html>

13
samples/boot/insecure/src/main/resources/templates/user/index.html Normal file
View File

@ -0,0 +1,13 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
<head>
<title>Hello Spring Security</title>
<meta charset="utf-8" />
<link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
</head>
<body>
<h1>TODO Secure this</h1>
<p>We would like to secure this page</p>
<p><a href="/index" th:href="@{/index}">Back to home page</a></p>
</body>
</html>