Configuring a filter to intercept all requests
The best practice when implementing security is to validate all incoming requests. We would want our security framework to look at the incoming request, authenticate the user and allow the action to be performed only if the user has access to perform the operation. We will make use of a filter to intercept and validate the request. The following example shows more details.
We would want to configure Spring Security to intercept all requests to a web application. We will use a filter, DelegatingFilterProxy, which delegates to a Spring-managed bean FilterChainProxy:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Now, all requests to our web application will go through the filter. However, we have not configured anything related to security yet. Let's use a simple Java configuration example:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends
WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobalSecurity
(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("firstuser").password("password1")
.roles("USER", "ADMIN");
}
@Override
protected void configure(HttpSecurity http)
throws Exception {
http
.authorizeRequests()
.antMatchers("/login").permitAll()
.antMatchers("/*secure*/**")
.access("hasRole('USER')")
.and().formLogin();
}
}
Things to note are as follows:
- @EnableWebSecurity: This annotation enables any Configuration class to contain the definition of Spring Configuration. In this specific instance, we override a couple of methods to provide our specific Spring MVC configuration.
- WebSecurityConfigurerAdapter: This class provides a base class to create a Spring configuration (WebSecurityConfigurer).
- protected void configure(HttpSecurity http): This method provides the security needs for different URLs.
- antMatchers("/*secure*/**").access("hasRole('USER')"): You would need a role of USER to access any URL containing the sub-string secure.
- antMatchers("/login").permitAll(): Permits access to the login page to all users.
- public void configureGlobalSecurity(AuthenticationManagerBuilder auth): In this example, we are using in-memory authentication. This can be used to connect to a database (auth.jdbcAuthentication()), or an LDAP(auth.ldapAuthentication()), or a custom authentication provider (created extending AuthenticationProvider).
- withUser("firstuser").password("password1"): Configures an in-memory valid user ID and password combination.
- .roles("USER", "ADMIN"): Assigns roles to the user.
When we try to access any secure URLs, we will be redirected to a login page. Spring Security provides ways of customizing the Logic page as well as the redirection. Only authenticated users with the right roles will be allowed to access the secured application pages.