Skip to content

Instantly share code, notes, and snippets.

@renatoapcosta

renatoapcosta/spring-security-xml.md

Last active November 3, 2022 12:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save renatoapcosta/a7945952731ff99b434b48d411943817 to your computer and use it in GitHub Desktop.
Save renatoapcosta/a7945952731ff99b434b48d411943817 to your computer and use it in GitHub Desktop.
Download ZIP
Spring Security com XML
Raw
spring-security-xml.md

Spring Security

Usando o spring-security 3.2.10.RELEASE com java 8 e tomcat 8.5.x

spring-security-xml-3.2

Estrutura maven web

projeto
  src
    main
      java
      resources
      webapp
        index.jsp
        home.jsp
        admin.jsp
        WEB-INF
          web.xml
          security.xml

Projeto

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>br.com.ractecnologia</groupId>
    <artifactId>estudo-springsecurity</artifactId>
    <version>1.0-SNAPSHOT</version>
    <packaging>war</packaging>

    <properties>
        <maven.compiler.source>8</maven.compiler.source>
        <maven.compiler.target>8</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <dependencies>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>servlet-api</artifactId>
            <version>2.5</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>commons-logging</groupId>
            <artifactId>commons-logging</artifactId>
            <version>1.2</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>3.2.10.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-core</artifactId>
            <version>3.2.10.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>3.2.10.RELEASE</version>
        </dependency>
    </dependencies>


    <build>
        <finalName>spring-security</finalName>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>3.8.0</version>
                <configuration>
                    <source>8</source>
                    <target>8</target>
                </configuration>
            </plugin>
        </plugins>
    </build>


</project>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">

    <display-name>Exemplo Spring Security</display-name>

    <welcome-file-list>
        <welcome-file>/index.jsp</welcome-file>
    </welcome-file-list>

    <!-- Configurações SPRING SECURITY -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/security.xml</param-value>
    </context-param>

    <listener>
        <listener-class>
            org.springframework.web.context.ContextLoaderListener
        </listener-class>
    </listener>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>
            org.springframework.web.filter.DelegatingFilterProxy
        </filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

</web-app>

security.xml

<?xml version="1.0" encoding="UTF-8"?>
<bean:beans
        xmlns:bean="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns="http://www.springframework.org/schema/security"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
   http://www.springframework.org/schema/security
   http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <http auto-config="true" >

        <intercept-url pattern="/home.jsp" access="ROLE_USER,ROLE_ADMIN"/>
        <intercept-url pattern="/admin.jsp" access="ROLE_ADMIN"/>

<!--        <logout logout-url="/custom_logout_url" />-->
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="admin"
                      password="admin"
                      authorities="ROLE_USER,ROLE_ADMIN"/>
                <user name="user"
                      password="user"
                      authorities="ROLE_USER"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>

</bean:beans>

Paginas jsp

index.jsp

<h2>Desprotegida</h2>

<a href="home.jsp">Ir para home</a> <br />
<a href="admin.jsp">Ir para admin</a>

home.jsp

<h2>Protegida</h2>

<a href="index.jsp">Ir para index</a><br />
<a href="admin.jsp">Ir para admin</a><br />

<a href="j_spring_security_logout">Logout</a>

admin.jsp

<h2>Protegida</h2>

<a href="index.jsp">Ir para index</a><br />
<a href="home.jsp">Ir para home</a><br />

<a href="j_spring_security_logout">Logout</a>

Analise

Dependencias import

image

Login personalizado

    <http auto-config="true" >

        <intercept-url pattern="/home.jsp" access="ROLE_USER,ROLE_ADMIN"/>
        <intercept-url pattern="/admin.jsp" access="ROLE_ADMIN"/>

        <form-login
                login-page="/login.jsp"
                default-target-url="/home.jsp"
                authentication-failure-url="/login?error"
                username-parameter="j_username"
                password-parameter="j_password" />

    </http>

login.jsp

<form name="f" action="j_spring_security_check" method="POST">
<table>
    <tr><td>User:</td>
        <td><input type='text' name='j_username' value=''/></td>
    </tr>
    <tr><td>Password:</td>
        <td><input type='password' name='j_password'></td></tr>
    <tr>
        <td>
            <input type="checkbox" name="_spring_security_remember_me">
        </td>
        <td>Don't ask for my password for two weeks</td>
    </tr>

    <tr><td colspan='2'><input name="submit" type="submit"></td></tr>
    <tr><td colspan='2'><input name="reset" type="reset"></td></tr>
</table>
</form>

Sessão Única

<http auto-config="true" use-expressions="true" >

        <form-login
                login-page="/login.jsp"
                default-target-url="/home.jsp"
                authentication-failure-url="/login.jsp?error" />

        <intercept-url pattern="/home.jsp" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
        <intercept-url pattern="/admin.jsp" access="hasRole('ROLE_ADMIN')"/>

        <session-management>
            <concurrency-control max-sessions="1" />
        </session-management>

    </http>

Migrando para Spring 5.7.4

spring-security-xml-5.7

O csrf vem habilitado por padrão, podemos desabilitar

<csrf disabled="true"/>

Precisamos adicionar um bean para validar as url

 <bean:bean id="httpFirewall" class="org.springframework.security.web.firewall.StrictHttpFirewall" >
        <bean:property name="allowUrlEncodedDoubleSlash" value="true" />
        <bean:property name="allowBackSlash" value="true" />
        <bean:property name="allowUrlEncodedSlash" value="true" />
        <bean:property name="allowSemicolon" value="true" />
    </bean:bean>

    <http-firewall ref="httpFirewall"/>

O authentication-provider exige de forma explicita o password-encoder.

<bean:bean id="passwordEncoder" class="org.springframework.security.crypto.password.NoOpPasswordEncoder" />


<authentication-manager>
    <authentication-provider>
        <password-encoder ref="passwordEncoder"/>
        <user-service>
            <user name="admin"
                  password="admin"
                  authorities="ROLE_USER,ROLE_ADMIN"/>
            <user name="user"
                  password="user"
                  authorities="ROLE_USER"/>
        </user-service>
    </authentication-provider>
</authentication-manager>

No form-login é necessário informar os campos para username e password

<http>
...
  <form-login login-page="/login.jsp" default-target-url="/home.jsp"
                    authentication-failure-url="/login.jsp?error=1"
                    login-processing-url="/j_spring_security_check"
                    username-parameter="j_username"
                    password-parameter="j_password"
                    always-use-default-target="false" />
  ...
</http>

DTD Spring XML

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation="
   http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans.xsd
   http://www.springframework.org/schema/context
   http://www.springframework.org/schema/context/spring-context.xsd
   http://www.springframework.org/schema/tx
   http://www.springframework.org/schema/tx/spring-tx.xsd
   http://www.springframework.org/schema/security
   http://www.springframework.org/schema/security/spring-security-5.7.xsd">

</beans>

Spring

Executando um metodo

<bean id="jsonKeyCload" class="br.com.ractecnologia.AppVariables" factory-method="resolveKeyCloakJson" />

Adicionando arquivo de propriedades com profile

security.xml

<context:property-placeholder location="classpath:application.properties" order="0" ignore-unresolvable="true"/>
<context:property-placeholder location="classpath:application-${spring.profiles.active:prd}.properties" order="1" ignore-unresolvable="true"/>

application.properties

spring.profiles.active=prd

application-prd.properties

spring.profiles.active=prd

application-dev.properties

spring.profiles.active=dev

Adicionando um bean

security.xml

<context:component-scan base-package="br.com.ractecnologia.beans" />

package br.com.ractecnologia.beans;
@Service
public class MeuBean { }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment