Authentication and Authorization Using Spring Security
November 29, 2013Spring Security secures the web pages for invalid access. Access will be categorized and one, two are all type of access can be permitted to a user. Before accessing the application, user will be authenticated and authorized. We will understand what is authentication and authorization.
Authentication Using Spring Security | <http> ConfigurationAn application needs to know who is accessing the application. So authentication is related to word who. Application will check it by a login form. User will enter user name and password and these inputs will be validated by the application. Once the validation is successful, user is declared as authenticated. Now we will understand what spring security do for authentication.
Spring security provides namespace Configuration in XML. First we will see auto configuration. Spring security provides a minimal basic configuration as below.
auto-config in Spring Security
<http> <form-login /> <http-basic /> <logout /> </http>
<http auto-config='true'> <intercept-url pattern="/**" access="ROLE_USER" /> <form-login login-page='/login.jsp' default-target-url="/loginSuccess.jsp" always-use-default-target='true' /> </http>
auto-config='true': it will keep default which we will not configure.
intercept-url All request will force to go to login page.
form-login : It is defining the login page URL and URL of page when user logged in successfully. default-target-url is configuring the URL for success login and if we want that user should always start from login success page then we need to define always-use-default-target ="true"
Authorization Using Spring SecurityAuthorization is to check whether user can access the application or not or what user can access and what user can not access. Now find the configuration detail.
<authentication-manager> <authentication-provider> <user-service> <user name="ram" password="f" authorities="ROLE_USER, ROLE_ADMIN" /> <user name="shyam" password="" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>
authentication-manager: It consists all the authorization details of authentication provider.
authentication-provider : It defines that user details will be used through authentication manager.
user-service: It defines the all users details. More than one user is possible.
user : name, password is used for user name and user password. authorities defines the authorities given to specific user.