JavaAuthenticationPart4
Using Spring Security (Web Applications)
Spring Security Configuration
SecurityConfig.java
In a Spring Security-based web application, the SecurityConfig
class extends WebSecurityConfigurerAdapter
to configure security settings. The @Configuration
and @EnableWebSecurity
annotations indicate that this is a security configuration class. The configure(AuthenticationManagerBuilder auth)
method sets up in-memory authentication with a hardcoded user ("admin") and password ("password"),marked with the {noop}
prefix to indicate that no password encoding is applied. The configure(HttpSecurity http)
method secures all HTTP requests, requiring authentication for any request. It also configures a custom login page at /login
and permits access to both the login and logout pages for all users. This configuration allows Spring Security to handle the login and logout processes automatically, redirecting users to the appropriate pages based on their authentication status.
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password("{noop}password")
.roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
}
Controller for Custom Login Page
LoginController.java
The LoginController
is a simple Spring MVC controller that maps the /login
URL to a method that returns the view name "login". This method is annotated with @GetMapping("/login")
to handle GET requests to the login page. When a user navigates to /login
, this method returns the "login" view name, which corresponds to a login page view (e.g., a JSP or HTML page). This allows the application to display a custom login page when users are not authenticated, leveraging Spring Security's form-based authentication mechanism.
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
@Controller
public class LoginController {
@GetMapping("/login")
public String login() {
return "login";
}
}
For more details find part 5 in the blog,next week.