Recently I wrote about getting started with Spring Security. In that, I used XML configurations for spring security. As a Java developer, I normally prefer Java configuration with Spring than XML. So here is how we can move from XML configuration to Java configuration.
Firstly I tell my web.xml that I want to use Java file based configuration and provide configuration class.
<?xml version="1.0" encoding="ISO-8859-1" ?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <context-param> <param-name>contextClass</param-name> <param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value> </context-param> <context-param> <param-name>spring.profiles.active</param-name> <param-value>javaee</param-value> </context-param> <context-param> <param-name>contextConfigLocation</param-name> <param-value>com.myapp.config.MyConfig</param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> <dispatcher>ERROR</dispatcher> <dispatcher>REQUEST</dispatcher> </filter-mapping> <servlet> <servlet-name>dispatcherServlet</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextClass</param-name> <param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value> </init-param> <init-param> <param-name>contextConfigLocation</param-name> <param-value>com.myapp.config.MyConfig</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>dispatcherServlet</servlet-name> <url-pattern>/service/*</url-pattern> </servlet-mapping> </web-app>
Here is a simple contoller path which I need to secure
package com.myapp.test; import java.io.IOException; import javax.servlet.ServletException; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.servlet.ModelAndView; @Controller @RequestMapping("/sample") public class SampleService { @RequestMapping(method = RequestMethod.GET, value = "/hello") public ModelAndView LepService(@PathVariable("id") String id) throws ServletException, IOException { ModelAndView mv = new ModelAndView("hello"); // Do something here return mv; } }
As you can see this simply redirects to hello view (hello.jsp).
And here the configuration file.
@Configuration @EnableWebMvc @EnableWebSecurity @ComponentScan(basePackages = "com.myapp.test") public class MyConfig extends WebSecurityConfigurerAdapter { @Bean public UrlBasedViewResolver urlBasedViewResolver() { UrlBasedViewResolver res = new InternalResourceViewResolver(); res.setViewClass(JstlView.class); res.setPrefix("/WEB-INF/"); res.setSuffix(".jsp"); return res; } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/resources/**"); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password") .roles("USER"); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/").permitAll() .antMatchers("/sample/**").hasRole("USER").anyRequest().authenticated() .and().formLogin(); } }