Authentication and Authorization Using Spring Security

By Arvind Rai, November 29, 2013
Spring Security secures the web pages for invalid access. Access will be categorized and one, two are all type of access can be permitted to a user. Before accessing the application, user will be authenticated and authorized. We will understand what is authentication and authorization.

Authentication Using Spring Security | <http> Configuration

An application needs to know who is accessing the application. So authentication is related to word who. Application will check it by a login form. User will enter user name and password and these inputs will be validated by the application. Once the validation is successful, user is declared as authenticated. Now we will understand what spring security do for authentication.
Spring security provides namespace Configuration in XML. First we will see auto configuration. Spring security provides a minimal basic configuration as below.

auto-config in Spring Security

    <form-login />
    <http-basic />
    <logout />
The above code snippet has the role to setup login form, perform basic authentication and logout action. Now we will go in detail to configure the authentication in spring security.
<http auto-config='true'>
     <intercept-url pattern="/**" access="ROLE_USER" />
    <form-login login-page='/login.jsp' default-target-url="/loginSuccess.jsp" always-use-default-target='true' />
By above configuration, we can override the settings of default login.
auto-config='true': it will keep default which we will not configure.
intercept-url All request will force to go to login page.
form-login : It is defining the login page URL and URL of page when user logged in successfully. default-target-url is configuring the URL for success login and if we want that user should always start from login success page then we need to define always-use-default-target ="true"

Authorization Using Spring Security

Authorization is to check whether user can access the application or not or what user can access and what user can not access. Now find the configuration detail.
      <user name="ram" password="f"  authorities="ROLE_USER, ROLE_ADMIN" />
      <user name="shyam" password=""  authorities="ROLE_USER" />
The above namespace configuration defines two users. This declaration of user name and password is default.
authentication-manager: It consists all the authorization details of authentication provider.
authentication-provider : It defines that user details will be used through authentication manager.
user-service: It defines the all users details. More than one user is possible.
user : name, password is used for user name and user password. authorities defines the authorities given to specific user.

©2023 | Privacy Policy | Contact Us