Usando o spring-security 3.2.10.RELEASE com java 8 e tomcat 8.5.x
projeto
src
main
java
resources
webapp
index.jsp
home.jsp
admin.jsp
WEB-INF
web.xml
security.xml
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>br.com.ractecnologia</groupId>
<artifactId>estudo-springsecurity</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>war</packaging>
<properties>
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.10.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.10.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.10.RELEASE</version>
</dependency>
</dependencies>
<build>
<finalName>spring-security</finalName>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.0</version>
<configuration>
<source>8</source>
<target>8</target>
</configuration>
</plugin>
</plugins>
</build>
</project>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>Exemplo Spring Security</display-name>
<welcome-file-list>
<welcome-file>/index.jsp</welcome-file>
</welcome-file-list>
<!-- Configurações SPRING SECURITY -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/security.xml</param-value>
</context-param>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<bean:beans
xmlns:bean="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http auto-config="true" >
<intercept-url pattern="/home.jsp" access="ROLE_USER,ROLE_ADMIN"/>
<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN"/>
<!-- <logout logout-url="/custom_logout_url" />-->
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin"
password="admin"
authorities="ROLE_USER,ROLE_ADMIN"/>
<user name="user"
password="user"
authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</bean:beans>
index.jsp
<h2>Desprotegida</h2>
<a href="home.jsp">Ir para home</a> <br />
<a href="admin.jsp">Ir para admin</a>
home.jsp
<h2>Protegida</h2>
<a href="index.jsp">Ir para index</a><br />
<a href="admin.jsp">Ir para admin</a><br />
<a href="j_spring_security_logout">Logout</a>
admin.jsp
<h2>Protegida</h2>
<a href="index.jsp">Ir para index</a><br />
<a href="home.jsp">Ir para home</a><br />
<a href="j_spring_security_logout">Logout</a>
Dependencias import
<http auto-config="true" >
<intercept-url pattern="/home.jsp" access="ROLE_USER,ROLE_ADMIN"/>
<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN"/>
<form-login
login-page="/login.jsp"
default-target-url="/home.jsp"
authentication-failure-url="/login?error"
username-parameter="j_username"
password-parameter="j_password" />
</http>
login.jsp
<form name="f" action="j_spring_security_check" method="POST">
<table>
<tr><td>User:</td>
<td><input type='text' name='j_username' value=''/></td>
</tr>
<tr><td>Password:</td>
<td><input type='password' name='j_password'></td></tr>
<tr>
<td>
<input type="checkbox" name="_spring_security_remember_me">
</td>
<td>Don't ask for my password for two weeks</td>
</tr>
<tr><td colspan='2'><input name="submit" type="submit"></td></tr>
<tr><td colspan='2'><input name="reset" type="reset"></td></tr>
</table>
</form>
<http auto-config="true" use-expressions="true" >
<form-login
login-page="/login.jsp"
default-target-url="/home.jsp"
authentication-failure-url="/login.jsp?error" />
<intercept-url pattern="/home.jsp" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
<intercept-url pattern="/admin.jsp" access="hasRole('ROLE_ADMIN')"/>
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
O csrf vem habilitado por padrão, podemos desabilitar
<csrf disabled="true"/>
Precisamos adicionar um bean para validar as url
<bean:bean id="httpFirewall" class="org.springframework.security.web.firewall.StrictHttpFirewall" >
<bean:property name="allowUrlEncodedDoubleSlash" value="true" />
<bean:property name="allowBackSlash" value="true" />
<bean:property name="allowUrlEncodedSlash" value="true" />
<bean:property name="allowSemicolon" value="true" />
</bean:bean>
<http-firewall ref="httpFirewall"/>
O authentication-provider exige de forma explicita o password-encoder.
<bean:bean id="passwordEncoder" class="org.springframework.security.crypto.password.NoOpPasswordEncoder" />
<authentication-manager>
<authentication-provider>
<password-encoder ref="passwordEncoder"/>
<user-service>
<user name="admin"
password="admin"
authorities="ROLE_USER,ROLE_ADMIN"/>
<user name="user"
password="user"
authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
No form-login é necessário informar os campos para username e password
<http>
...
<form-login login-page="/login.jsp" default-target-url="/home.jsp"
authentication-failure-url="/login.jsp?error=1"
login-processing-url="/j_spring_security_check"
username-parameter="j_username"
password-parameter="j_password"
always-use-default-target="false" />
...
</http>
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-5.7.xsd">
</beans>
Executando um metodo
<bean id="jsonKeyCload" class="br.com.ractecnologia.AppVariables" factory-method="resolveKeyCloakJson" />
security.xml
<context:property-placeholder location="classpath:application.properties" order="0" ignore-unresolvable="true"/>
<context:property-placeholder location="classpath:application-${spring.profiles.active:prd}.properties" order="1" ignore-unresolvable="true"/>
application.properties
spring.profiles.active=prd
application-prd.properties
spring.profiles.active=prd
application-dev.properties
spring.profiles.active=dev
security.xml
<context:component-scan base-package="br.com.ractecnologia.beans" />
package br.com.ractecnologia.beans;
@Service
public class MeuBean { }