mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-05-31 17:22:13 +00:00
107 lines
4.8 KiB
Plaintext
107 lines
4.8 KiB
Plaintext
== Securing the application
|
|
|
|
Before securing your application, it is important to ensure that the existing application works as we did in <<running-the-{starter-appname}-application>>. Now that the application runs without security, we are ready to add security to our application. This section demonstrates the minimal steps to add Spring Security to a Spring MVC application.
|
|
|
|
=== Updating your dependencies
|
|
|
|
You will need to ensure you have added the dependencies. Spring Security milestones and release candidates are available in the https://github.com/SpringSource/spring-framework/wiki/SpringSource-repository-FAQ[Spring Milestone Repository]. In short, if you are using Maven and using a milestone or release candidates ensure you have the following repository in your pom.xml:
|
|
|
|
.pom.xml
|
|
[source,xml]
|
|
----
|
|
<repositories>
|
|
<!-- ... possibly other repository elements ... -->
|
|
<repository>
|
|
<id>spring-libs-milestone</id>
|
|
<name>Spring Milestone Repository</name>
|
|
<url>http://repo.springsource.org/milestone</url>
|
|
</repository>
|
|
</repositories>
|
|
----
|
|
|
|
You will then need to include the Spring Security dependencies
|
|
|
|
.pom.xml
|
|
[source,xml]
|
|
[subs="verbatim,attributes"]
|
|
----
|
|
<dependencies>
|
|
<!-- ... other dependency elements ... -->
|
|
<dependency>
|
|
<groupId>org.springframework.security</groupId>
|
|
<artifactId>spring-security-web</artifactId>
|
|
<version>{spring-security-version}</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.springframework.security</groupId>
|
|
<artifactId>spring-security-config</artifactId>
|
|
<version>{spring-security-version}</version>
|
|
</dependency>
|
|
</dependencies>
|
|
----
|
|
|
|
After you have completed this, you need to ensure that STS knows about the updated dependencies by:
|
|
|
|
* Right click on the _spring-security-samples-{starter-appname}_ application
|
|
* Select *Maven->Update project...*
|
|
* Ensure the project is selected, and click *OK*
|
|
|
|
=== Creating your Spring Security configuration
|
|
|
|
The next step is to create a Spring Security configuration.
|
|
|
|
* Right click the _spring-security-samples-{starter-appname}_ project the Package Explorer view
|
|
* Select *New->Class*
|
|
* Enter _org.springframework.security.samples.config_ for the *Package*
|
|
* Enter _SecurityConfig_ for the *Name*
|
|
* Click *Finish*
|
|
* Replace the file with the following contents:
|
|
|
|
[[security-config-java]]
|
|
.src/main/java/org/springframework/security/samples/config/SecurityConfig.java
|
|
[source,java]
|
|
----
|
|
package org.springframework.security.samples.config;
|
|
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
|
|
|
import org.springframework.context.annotation.*;
|
|
import org.springframework.security.config.annotation.authentication.builders.*;
|
|
import org.springframework.security.config.annotation.web.configuration.*;
|
|
|
|
@Configuration
|
|
@EnableWebSecurity
|
|
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
|
@Autowired
|
|
public void registerGlobalAuthentication(AuthenticationManagerBuilder auth) throws Exception {
|
|
auth
|
|
.inMemoryAuthentication()
|
|
.withUser("user").password("password").roles("USER");
|
|
}
|
|
}
|
|
----
|
|
|
|
[[servlet-api-integration]]
|
|
The <<security-config-java,`SecurityConfig`>> will:
|
|
|
|
* Require authentication to every URL in your application
|
|
* Generate a login form for you
|
|
* Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication
|
|
* Allow the user to logout
|
|
* http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
|
|
* http://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
|
|
* Security Header integration
|
|
** http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
|
|
** http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
|
|
** Cache Control (can be overridden later by your application to allow caching of your static resources)
|
|
** http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
|
|
** X-Frame-Options integration to help prevent http://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
|
|
* Integrate with the following Servlet API methods
|
|
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
|
|
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
|
|
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
|
|
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
|
|
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
|
|
|