java - What is the best way to insert Spring Security into a project? I have 2 differents way to do it -

-

i pretty new in spring security , have doubts related these 2 different configurations found in 2 different projects. want understand 1 better other or if these equivalent.

project 1:

spring-security.xml of project 1:

<?xml version="1.0" encoding="utf-8"?> <beans xmlns="http://www.springframework.org/schema/beans"     xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"     xmlns:security="http://www.springframework.org/schema/security"     xsi:schemalocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">      <security:http>         <security:intercept-url pattern="/springlogin" access="permitall"/>         <security:intercept-url pattern="/dospringlogin" access="permitall"/>         <security:intercept-url pattern="/springhome" access="hasrole('role_user')"/>         <security:intercept-url pattern="/springlogout" access="permitall"/>         <security:intercept-url pattern="/springlogin?error=true" access="permitall"/>         <security:form-login login-page="/springlogin" login-processing-url="/dospringlogin"         default-target-url="/springhome" authentication-failure-url="/springlogin?error=true"         username-parameter="username" password-parameter="password"         />         <security:csrf disabled="true"/>         <security:logout logout-url="/springlogout" logout-success-url="/springlogin"/>     </security:http>      <bean id="userdetailsserviceimpl" class="com.demo.security.userdetailsserviceimpl"></bean>      <bean id="authenticationprovider" class="org.springframework.security.authentication.dao.daoauthenticationprovider">         <property name="userdetailsservice" ref="userdetailsserviceimpl"></property>     </bean>      <bean id="authenticationmanager" class="org.springframework.security.authentication.providermanager">         <constructor-arg name="providers">             <list>                 <ref bean="authenticationprovider"/>             </list>         </constructor-arg>     </bean>      <security:authentication-manager>         <security:authentication-provider user-service-ref="userdetailsserviceimpl">             <security:password-encoder hash="plaintext"></security:password-encoder>         </security:authentication-provider>     </security:authentication-manager>  </beans>

as can see in previous spring security configuration file first declare secured resource , access rooles these resource (what kind of user can access these resources)

then there declared bean, are:

1) userdetailsserviceimpl instance of com.demo.security.userdetailsserviceimpl class:

public class userdetailsserviceimpl implements userdetailsservice {      @override     public userdetails loaduserbyusername(string username) throws usernamenotfoundexception {         system.out.println(username);          // obtain user object user database table using username key:         user user = registerydao.getuserdao().getuserbyusername(username);          if(user == null){             return null;         }          list<grantedauthority> authorities = new arraylist<grantedauthority>();          // populate authorites list new simplegrantedauthority object created using user role:         authorities.add(new simplegrantedauthority(user.getrole()));          // create new userdetail object using username , authorities list:         userdetails userdetails = new org.springframework.security.core.userdetails.                 user(user.getusername(), user.getpassword(), true, true, true, true, authorities);           return userdetails;     }  }

as can see bean implementation of userdetailsservice interface provided spring. following operation:

  • obtain user object user database table using username key.

  • populate authorites list new simplegrantedauthority object created using user role.

  • create , finnally return new userdetail object using username , authorities list.

2) authenticationprovider bean:

<bean id="authenticationprovider" class="org.springframework.security.authentication.dao.daoauthenticationprovider">         <property name="userdetailsservice" ref="userdetailsserviceimpl"></property> </bean>

that take previous userdetailsserviceimpl bean reference.

this bean user details userdetailsservice.

3) authenticationmanager instance of providermanager

<bean id="authenticationmanager" class="org.springframework.security.authentication.providermanager">     <constructor-arg name="providers">         <list>             <ref bean="authenticationprovider"/>         </list>     </constructor-arg> </bean>

thattake list of providermanager objects (in case 1 represented authenticationprovider bean). object iterates authentication request through list of authenticationproviders , decided if request toward specific resource acceptable using role declared inside tag (but not sure assertion, correct me if wrong).

ok. pretty clear me...now second project have different configuration.

second project:

into spring-security.xml configuration file have:

<?xml version="1.0" encoding="utf-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security"      xmlns:beans="http://www.springframework.org/schema/beans"      xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"      xsi:schemalocation="http://www.springframework.org/schema/beans                          http://www.springframework.org/schema/beans/spring-beans-4.0.xsd                         http://www.springframework.org/schema/security                          http://www.springframework.org/schema/security/spring-security-4.0.xsd">        <http pattern="/resources/**" security="none"/>        <http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationmanager">         <intercept-url pattern="/login" access="permitall" />         .............................................................         roles         .............................................................         <logout logout-success-url="/login" logout-url="/logout" />         <form-login  login-page="/login"                        authentication-failure-url="/login?error=true"                     default-target-url="/"                     username-parameter="nomeutente"                     password-parameter="password"                     login-processing-url="/j_spring_security_check"/>         <csrf disabled="true"/>         <!--  <session-management  invalid-session-url="/sessiontimeout" />-->     </http>       <authentication-manager id="authenticationmanager" >         <authentication-provider>             <jdbc-user-service data-source-ref="datasource"                  users-by-username-query="select des_usr_par, des_psw_par,true tid001_anagpartecipa des_usr_par =?"                  authorities-by-username-query="select des_usr_par, prg_par tid001_anagpartecipa des_usr_par = ? "/>

that automatically retrieve authorities performing query on table user stored.

so better way insert spring security project? first 1 or more compact second one?

        </authentication-provider>     </authentication-manager>  </beans:beans>

as can see in case not declared service (that use dao) return userdetails objet used authenticationprovider bean used providermanager.

in case have statment:

<authentication-manager id="authenticationmanager" >     <authentication-provider>         <jdbc-user-service data-source-ref="datasource"              users-by-username-query="select des_usr_par, des_psw_par,true tid001_anagpartecipa des_usr_par =?"              authorities-by-username-query="select des_usr_par, prg_par tid001_anagpartecipa des_usr_par = ? "/>      </authentication-provider> </authentication-manager>

that think automatically declare authentication manager bean having id="authenticationmanager" (but concrete type?) use authentication-provider bean (but concrete type?)

it totally depends on need. spring provides own classes authentication , authorization. if want @ own, can use second option. i.e user details service.


Comments

Post a Comment

Popular posts from this blog

php - Invalid Cofiguration - yii\base\InvalidConfigException - Yii2 -

-
Image
i've installed yii2-user module/dektrium yii2-app-basic application command composer require "dektrium/yii2-user:0.9.*@dev" config/console.php return [ . . 'modules' => [ 'gii' => 'yii\gii\module', 'user' => [ 'class' => 'dektrium\user\module', ], ], . . ] config/web.php 'components' => [ . . /* 'user' => [ 'identityclass' => 'app\models\user', 'enableautologin' => true, ], */ 'modules' => [ 'user' => [ 'class' => 'dektrium\user\module', ], ], . . ] after that, run command $ php yii migrate/up --migrationpath=@vendor/dektrium/yii2-user/migrations updating database schema . but, when run http://localhost/mylawsuit/yii/web/index.php?r=u
Read more

How to show in django cms breadcrumbs full path? -

-
need advice - how show in breadcrumbs whole path article or page? i've got code: {% ance in ancestors %} <li> {% if not forloop.last %} <a href="{{ ance.get_absolute_url }}">{{ ance.get_menu_title }}</a> {% else %} <span class="active">{{ ance.get_menu_title }}</span> {% endif %} </li> {% endfor %} but shows "home" , current page. how modify show whole path in breadcrumbs? i've found in file menu_tags.py code calls ancestors. @ least there class showbreadcrumbs: class showbreadcrumb(inclusiontag): """ shows breadcrumb node has same url current request - start level: after level should breadcrumb start? 0=home - template: template used render breadcrumb """ name = 'show_breadcrumb' template = 'menu/dummy.html' options = options( argument('start_level', default=0, require
Read more

ruby on rails - npm error: tunneling socket could not be established, cause=connect ETIMEDOUT -

-
i have app uses rails framework , implements angularjs part of front end. i have pushed heroku , have heroku toolbelt installed, when try migrate db using "heroku run rake db:migrate" receive following error(s): installing core plugins heroku-cli-addons, heroku-apps, heroku-fork, heroku-git, heroku-local, heroku-run, heroku-status... error installing package. try running again gode_debug=info see more output. ! `run` not heroku command. ! perhaps meant `-h`, `2fa`, `auth`, `join`, `open`, `orgs`, `pg`, `ps` or `rake`. ! see `heroku help` list of available commands. i run command "gode_debug=info heroku run rake db:migrate" , receive error: npm err! darwin 14.5.0 npm err! argv "/users/christopher_pelnar/.heroku/node-v4.2.1-darwin-x64/bin/node" "/users/christopher_pelnar/.heroku/node-v4.2.1-darwin-x64/lib/node_modules/npm/cli.js" "install" "heroku-cli-addons" "heroku-apps" "heroku-fork
Read more