github
/
spring-security
spegling av https://github.com/spring-projects/spring-security


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111
							= Hello Spring Security Java Config
:author: Rob Winch
:starter-appname: insecure
:completed-appname: helloworld-jc
:include-dir: _includes
:hello-include-dir: _hello-includes

This guide provides instructions on how to add Spring Security to an existing application without the use of XML.

include::{include-dir}/setting-up-the-sample.asc[]

Verify the application is working by ensuring a page stating *TODO Secure this* is displayed at http://localhost:8080/sample/

Once you have verified the application runs, stop the application server using the following steps:

* In the Servers view select the latest tc Server
* Click the stop button (a red square) to stop the application server

include::{hello-include-dir}/secure-the-application.asc[]

=== Registering Spring Security with the war

We have created the Spring Security configuration, but we still need to register it with the war. This can be done using the following steps:

* Navigate to the *Package Explorer* view
* Right click the *org.springframework.security.samples.config* package within the *spring-security-samples-{starter-appname}* project
* Select *New->Class*
* Enter _SecurityWebApplicationInitializer_ for the *Name*
* Click *Finish*
* Replace the file with the following contents:

.src/main/java/org/springframework/security/samples/config/SecurityWebApplicationInitializer.java
[source,java]
----
package org.springframework.security.samples.config;

import org.springframework.security.web.context.*;

public class SecurityWebApplicationInitializer
      extends AbstractSecurityWebApplicationInitializer {

    public SecurityWebApplicationInitializer() {
        super(SecurityConfig.class);
    }
}
----

The `SecurityWebApplicationInitializer` will do the following things:

* Automatically register the springSecurityFilterChain Filter for every URL in your application
* Add a ContextLoaderListener that loads the <<security-config-java,SecurityConfig>>.

NOTE: Since we were not already using Spring, this is a simple way to add our <<security-config-java,SecurityConfig>>. If we were already using Spring, then we should add our <<security-config-java,SecurityConfig>> with the reset of our Spring configuration (i.e. a subclass of AbstractContextLoaderInitializer or AbstractDispatcherServletInitializer) and use the default constructor instead.

include::{hello-include-dir}/exploring-the-secured-application.asc[]

==== Displaying the user name

Now that we have authenticated, let's update the application to display the username. Update the body of index.jsp to be the following:

.src/main/webapp/index.jsp
[source,html]
----
<body>
  <div class="container">
    <h1>This is secured!</h1>
    <p>
      Hello <b><c:out value="${pageContext.request.remoteUser}"/></b>
    </p>
  </div>
</body>
----

WARNING: The `<c:out />` tag ensures the username is escaped to avoid http://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.

Refresh the page at http://localhost:8080/sample/ and you will see the user name displayed. This works because Spring Security integrates with the <<servlet-api-integration,Servlet API methods>>

==== Logging out

Now that we can view the user name, let's update the application to allow logging out. Update the body of index.jsp to contain a log out form as shown below:

.src/main/webapp/index.jsp
[source,html]
----
<body>
  <div class="container">
    <h1>This is secured!</h1>
    <p>
      Hello <b><c:out value="${pageContext.request.remoteUser}"/></b>
    </p>
    <c:url var="logoutUrl" value="/logout"/>
    <form class="form-inline" action="${logoutUrl}" method="post">
      <input type="submit" value="Log out" />
      <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
    </form>
  </div>
</body>
----

In order to help protect against http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:

* the HTTP method must be a POST
* the CSRF token must be added to the request You can access it on the ServletRequest using the attribute _csrf as illustrated above.

NOTE: If you were using Spring MVC's tag library or Thymeleaf, the CSRF token is automatically added as a hidden input for you.

Refresh the page at http://localhost:8080/sample/ and you will see the log out button. Click the logout button and see that the application logs you out successfully.

== Conclusion

You should now know how to secure your application using Spring Security without using any XML. To learn more refer to the link:index.html[Spring Security Guides index page].