Home  >  Spring Security

Example of Security Pointcuts in Spring

By Arvind Rai, December 25, 2013
Spring security provides pointcuts to allow security in service layer of application. All methods of more than one class can be secured just by matching a pattern. In this way by small code, we secure many classes in one go. In our example we will see the entire required configuration to add security pointcuts using protect-pointcut within global-method-security namespace in spring security.

protect-pointcut in Spring Security

global-method-security namespace is used to define security. To add security pointcuts, spring security provides protect-pointcut which is declared as below.
<global-method-security >
    <protect-pointcut expression="execution(* com.concretepage.service.*Service.*(..))"
         access="ROLE_USER"/>
</global-method-security>
 
The configuration says that the classes whose name ended with Service and lying within the package com.concretepage.service can be access only with ROLE_USER.
Now we will see a complete demo. We have a service class and its interface as below.
ILoginService.java
package com.concretepage.service;
public interface ILoginService {
	public String welcome();
}
 
LoginService.java
package com.concretepage.service;
public class LoginService implements ILoginService {
  public String welcome(){
	  return "You are authorized for this zone.";
  }
}
 
Find the controller class in which service class has been autowired. As a dummy example, only ROLE_USER role will be authorized for service layer method.
LoginController.java
package com.concretepage.security.controller;
import java.util.Collection;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import com.concretepage.service.ILoginService;
@Controller
@RequestMapping("/login")
public class LoginController {
	@Autowired
	public ILoginService loginService;
	@RequestMapping(method = RequestMethod.GET)
	public String success(ModelMap map,HttpServletRequest req) {
		if(hasRole("ROLE_USER")){
			String msg = loginService.welcome();   
			map.addAttribute("msg", msg);	
		}else{
		   map.addAttribute("msg", "Successfully logged in but You are not authorized for this zone.");
		}
		return "success";
	}  
	private boolean hasRole(String role) {
		Collection<GrantedAuthority> authorities = (Collection<GrantedAuthority>)SecurityContextHolder.getContext().getAuthentication().getAuthorities();
	    boolean hasRole = false;
	    for (GrantedAuthority authority : authorities) {
	    	hasRole = authority.getAuthority().equals(role);
	      if (hasRole) {
	    	  break;
	      }
	    }
	    return hasRole;
	  }
 }
 
Find the spring security declarations. There are two users ram and shyam and both has con1234 as password..
security-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.1.xsd">
	<http auto-config="true">
		<intercept-url pattern="/login" access="ROLE_USER,ROLE_SUPERWISER" />
		<logout logout-success-url="/login" />
	</http>
	<authentication-manager>
      <authentication-provider>
	  <password-encoder hash="sha"/>
	  <user-service>
	    <user name="ram" password="0733824cc1549ce36139e8c790a9344d1e385cd2" authorities="ROLE_USER" />
	    <user name="shyam" password="0733824cc1549ce36139e8c790a9344d1e385cd2" authorities="ROLE_SUPERWISER" />
	  </user-service>
      </authentication-provider>
    </authentication-manager>
    <beans:bean name="loginService" class="com.concretepage.service.LoginService"/>
   <global-method-security >
    <protect-pointcut expression="execution(* com.concretepage.service.*Service.*(..))"
         access="ROLE_USER"/>
  </global-method-security>
 </beans:beans>
 

Output UI


Example of Security Pointcuts in Spring

When enter username ram and password con1234, we will get the below UI.

Example of Security Pointcuts in Spring

Enter username shyam and password con1234, we will get the below UI.

Example of Security Pointcuts in Spring

Download Source Code

POSTED BY
ARVIND RAI
ARVIND RAI
FIND MORE TUTORILAS
comments powered by Disqus








Copyright ©2017 concretepage.com, all rights reserved |Privacy Policy | Contact Us