Monday, April 8, 2019
On April 08, 2019 by Kamlesh 1 comment
Before diving into this implementation, I would suggest you to look at Spring Security Introduction first.
Let's Start
Most of the Web Applications uses custom login page with custom authentication,So lets go with it.
<html>
<body>
<form method="post" action="/login">
${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
${logoutmsg}
UserName <input type="text" name="username"/>
<br/>
Password <input type="password" name="password"/>
<br/>
<input type="submit">
</form>
</body>
</html>
Login page is ready,Method should be post and action "/login" to invoke spring security,The EL tag ${sessionScope) will display recent exception message thrown by the springs.
Lets create a user entity now.
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import org.hibernate.validator.constraints.NotBlank;
public class User {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private Long userId;
public Long getUserId() {
return userId;
}
public void setUserId(Long userId) {
this.userId = userId;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getRole() {
return role;
}
public void setRole(String role) {
this.role = role;
}
@NotBlank
private String username;
@NotBlank
private String password;
@NotBlank
private String role;
}
When the username and password is submitted from login page,the security config file which extends WebSecurityConfigurerAdapter will be invoked.
Custom Authenticator is used in below example
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomUserDetailsService userDetailsService;
@Autowired
CustomAuthentication customauthentication;
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customauthentication); //The Custom Authenticator is used here.
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//CSFR is disabled,if you dont know what csrf is,Spring has a beautiful documentaion about it ,Check it out.
http.csrf().disable();
//Login,logout page and resources are permitted for all users
http.authorizeRequests().antMatchers("/","/login","/logout","/resources/**").permitAll();
//userInfo page requires login as ROLE_USER or ROLE_ADMIN.
// If no login, it will redirect to /login page.
http.authorizeRequests().antMatchers("/userInfo").access("hasAnyRole('ROLE_USER', 'ROLE_ADMIN')");
// For ADMIN only.
http.authorizeRequests().antMatchers("/admin").access("hasRole('ROLE_ADMIN')");
//Login and logout configurations
//username and password parameter must match the login form username and password parameter
//When the user logs out,it will be redirected to login page as specified,it is always good practice to display a logout message whwn the user logs
out,To display a logout message,follow the last snippet.
//On Successful login user will be redirected to "/index" page as specified below else back to login page.
http.authorizeRequests().and().
formLogin().loginProcessingUrl("/login").loginPage("/login").defaultSuccessUrl("/index")
.failureUrl("/login?error=true").usernameParameter("username").passwordParameter("password").
and().
logout().logoutSuccessUrl("/login?logout");
// If no login, it will redirect to /login page.
http.authorizeRequests().antMatchers("/**").authenticated();
//Handling Access Denied Request
http.authorizeRequests().and().exceptionHandling().accessDeniedPage("/accessdenied");
}
}
Simple Custom Authentication would look like below one,logic might change based on your requirements.
public class CustomAuthentication implements AuthenticationProvider {
@Autowired
private UserRepository userrepository;
@Override
public Authentication authenticate(Authentication auth)
throws AuthenticationException {
String username = auth.getName();
String password = auth.getCredentials().toString();
User user = userrepository.findByUsername(username);
if(user==null){
throw new BadCredentialsException("Username Not Found");
}
if(!password.equals(user.getPassword)){
throw new BadCredentialsException("Username Or Password Is invalid");
}
return new UsernamePasswordAuthenticationToken(username,password,
Arrays.asList(new SimpleGrantedAuthority(user.getRole())));
}
@Override
public boolean supports(Class<?> arg0) {
return true;
}
}
In the above code exception is thrown with a relevant message if the condition fails,these messages are displayed on login page by EL tag ${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}.
If everything checks out,user will be forwarded to welcome page as specified in the security config file.
On Successfully logging out , /login is called which hits the controller,You can set the logout message there as shown below
@RequestMapping(value="/login")
public String showLogin(String error,String logout,Model model) {
if(logout!=null)
model.addAttribute("logoutmsg", "You've been logged out Successfully");
return "login";
}
Let's Start
Most of the Web Applications uses custom login page with custom authentication,So lets go with it.
<html>
<body>
<form method="post" action="/login">
${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
${logoutmsg}
UserName <input type="text" name="username"/>
<br/>
Password <input type="password" name="password"/>
<br/>
<input type="submit">
</form>
</body>
</html>
Login page is ready,Method should be post and action "/login" to invoke spring security,The EL tag ${sessionScope) will display recent exception message thrown by the springs.
Lets create a user entity now.
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import org.hibernate.validator.constraints.NotBlank;
public class User {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private Long userId;
public Long getUserId() {
return userId;
}
public void setUserId(Long userId) {
this.userId = userId;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getRole() {
return role;
}
public void setRole(String role) {
this.role = role;
}
@NotBlank
private String username;
@NotBlank
private String password;
@NotBlank
private String role;
}
When the username and password is submitted from login page,the security config file which extends WebSecurityConfigurerAdapter will be invoked.
Custom Authenticator is used in below example
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomUserDetailsService userDetailsService;
@Autowired
CustomAuthentication customauthentication;
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customauthentication); //The Custom Authenticator is used here.
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//CSFR is disabled,if you dont know what csrf is,Spring has a beautiful documentaion about it ,Check it out.
http.csrf().disable();
//Login,logout page and resources are permitted for all users
http.authorizeRequests().antMatchers("/","/login","/logout","/resources/**").permitAll();
//userInfo page requires login as ROLE_USER or ROLE_ADMIN.
// If no login, it will redirect to /login page.
http.authorizeRequests().antMatchers("/userInfo").access("hasAnyRole('ROLE_USER', 'ROLE_ADMIN')");
// For ADMIN only.
http.authorizeRequests().antMatchers("/admin").access("hasRole('ROLE_ADMIN')");
//Login and logout configurations
//username and password parameter must match the login form username and password parameter
//When the user logs out,it will be redirected to login page as specified,it is always good practice to display a logout message whwn the user logs
out,To display a logout message,follow the last snippet.
//On Successful login user will be redirected to "/index" page as specified below else back to login page.
http.authorizeRequests().and().
formLogin().loginProcessingUrl("/login").loginPage("/login").defaultSuccessUrl("/index")
.failureUrl("/login?error=true").usernameParameter("username").passwordParameter("password").
and().
logout().logoutSuccessUrl("/login?logout");
// If no login, it will redirect to /login page.
http.authorizeRequests().antMatchers("/**").authenticated();
//Handling Access Denied Request
http.authorizeRequests().and().exceptionHandling().accessDeniedPage("/accessdenied");
}
}
Simple Custom Authentication would look like below one,logic might change based on your requirements.
public class CustomAuthentication implements AuthenticationProvider {
@Autowired
private UserRepository userrepository;
@Override
public Authentication authenticate(Authentication auth)
throws AuthenticationException {
String username = auth.getName();
String password = auth.getCredentials().toString();
User user = userrepository.findByUsername(username);
if(user==null){
throw new BadCredentialsException("Username Not Found");
}
if(!password.equals(user.getPassword)){
throw new BadCredentialsException("Username Or Password Is invalid");
}
return new UsernamePasswordAuthenticationToken(username,password,
Arrays.asList(new SimpleGrantedAuthority(user.getRole())));
}
@Override
public boolean supports(Class<?> arg0) {
return true;
}
}
In the above code exception is thrown with a relevant message if the condition fails,these messages are displayed on login page by EL tag ${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}.
If everything checks out,user will be forwarded to welcome page as specified in the security config file.
On Successfully logging out , /login is called which hits the controller,You can set the logout message there as shown below
@RequestMapping(value="/login")
public String showLogin(String error,String logout,Model model) {
if(logout!=null)
model.addAttribute("logoutmsg", "You've been logged out Successfully");
return "login";
}
On April 08, 2019 by Kamlesh 1 comment
Spring Security provides comprehensive security services for J2EE-based enterprise software applications.
As you probably know two major areas of application security are "authentication" and "authorization" (or "access-control").
These are the two main areas that Spring Security targets.
"Authentication" is the process of establishing a principal is who they claim to be i.e authenticating the user during signing in.
"Authorization" refers to the process of deciding whether a principal is allowed to perform an action within your application.
Spring Security Maven
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
Spring Security provides even its own basic login page,processes the login on its own using the jpa,We will see how the set up is done in next chapter
As you probably know two major areas of application security are "authentication" and "authorization" (or "access-control").
These are the two main areas that Spring Security targets.
"Authentication" is the process of establishing a principal is who they claim to be i.e authenticating the user during signing in.
"Authorization" refers to the process of deciding whether a principal is allowed to perform an action within your application.
Spring Security Maven
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
Spring Security provides even its own basic login page,processes the login on its own using the jpa,We will see how the set up is done in next chapter
On April 08, 2019 by Kamlesh No comments
There might be a situation where you need to use your own method based on the requirement of a application.
Spring Boot JPA provides not only CRUD Operations,if you extend JpaRepository, a whole lot of implementation will be available
Some of them are shown below
findByLastnameAndFirstname
findByLastnameOrFirstname
findByStartDateBetween
findByAgeLessThan
findByAgeLessThanEqual
findByAgeGreaterThan
findByAgeGreaterThanEqual
findByStartDateAfter
findByStartDateBefore
findByAgeIsNull
findByAge(Is)NotNull
findByFirstnameLike
findByFirstnameNotLike
findByFirstnameStartingWith
Before adding your own custom implementation,I would suggest you to look at all the implementations that are already available here.
Your own implementation can be added as shown below
public interface PersonDAO extends JpaRepository<Person, Long> {
@Query("update User u set u.username = :username where u.userid=:userid")
Integer updateUsernameByUserid(@Param("username") String username,@Param("userid") int userid);
}
Spring Boot JPA provides not only CRUD Operations,if you extend JpaRepository, a whole lot of implementation will be available
Some of them are shown below
findByLastnameAndFirstname
findByLastnameOrFirstname
findByStartDateBetween
findByAgeLessThan
findByAgeLessThanEqual
findByAgeGreaterThan
findByAgeGreaterThanEqual
findByStartDateAfter
findByStartDateBefore
findByAgeIsNull
findByAge(Is)NotNull
findByFirstnameLike
findByFirstnameNotLike
findByFirstnameStartingWith
Before adding your own custom implementation,I would suggest you to look at all the implementations that are already available here.
Your own implementation can be added as shown below
public interface PersonDAO extends JpaRepository<Person, Long> {
@Query("update User u set u.username = :username where u.userid=:userid")
Integer updateUsernameByUserid(@Param("username") String username,@Param("userid") int userid);
}
On April 08, 2019 by Kamlesh No comments
Crud Operations using Spring Data JPA
import org.springframework.data.repository.CrudRepository;
public interface PersonDAO extends CrudRepository<Person, Long> {
}
Here PersonDAO Interface extends CrudRepository which contains crud operation methods and it accepts two generics,
Person - bean which you want to persist(Bean name)
Long - Type of primary key of the bean Person.(primary key is mandatory to persist)
Implementation
We dont really implement PersonDAO interface at all,Hibernate implements for use,we just use those method as shown below.
@Service
public class ServiceLayer {
@Autowired
private PersonDAO dao;
public Person addPerson(Person person) {
return dao.save(person);
}
public List getAllPerson() {
return (List) dao.findAll();
}
public void deletePerson(int id) {
dao.delete(id);
}
}
If you observe closely we have just declared PersonDAO object, not intialized,Since it is annotated with @Autowired, Spring looks for the implementation available for that Interface and intializes for us,i.e DEPENDENCY INJECTION
import org.springframework.data.repository.CrudRepository;
public interface PersonDAO extends CrudRepository<Person, Long> {
}
Here PersonDAO Interface extends CrudRepository which contains crud operation methods and it accepts two generics,
Person - bean which you want to persist(Bean name)
Long - Type of primary key of the bean Person.(primary key is mandatory to persist)
Implementation
We dont really implement PersonDAO interface at all,Hibernate implements for use,we just use those method as shown below.
@Service
public class ServiceLayer {
@Autowired
private PersonDAO dao;
public Person addPerson(Person person) {
return dao.save(person);
}
public List getAllPerson() {
return (List) dao.findAll();
}
public void deletePerson(int id) {
dao.delete(id);
}
}
If you observe closely we have just declared PersonDAO object, not intialized,Since it is annotated with @Autowired, Spring looks for the implementation available for that Interface and intializes for us,i.e DEPENDENCY INJECTION
On April 08, 2019 by Kamlesh No comments
Java Persistance API is a specification that provides an easy way of mapping from java object to relational mapping
Why JPA?
The java bean what we try to insert into database needs to be converted into single relational row that can fit into a table, This was all taken care by ORM's (Object - relational mapping), still the problem persists as the conversion had too much of boiler plate code,JDBC Connections, Creating statements,prepared statements,hard coding the queries,looping over results sets etc, it was not really sophisticated and simple, Hence JPA.
How is it simple using JPA now??
Spring Data JPA made it more easy to map the object to relational values, usually DAO layer contains all the information about contacting with the databases, All the boilerplate code that we were writing removed completely by just an interface(not even implementation).
YES,Just an interface, Dont get confused, How it is implemented is in coming chapters!!
To use a Spring Data JPA,add the following dependency
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
Why JPA?
The java bean what we try to insert into database needs to be converted into single relational row that can fit into a table, This was all taken care by ORM's (Object - relational mapping), still the problem persists as the conversion had too much of boiler plate code,JDBC Connections, Creating statements,prepared statements,hard coding the queries,looping over results sets etc, it was not really sophisticated and simple, Hence JPA.
How is it simple using JPA now??
Spring Data JPA made it more easy to map the object to relational values, usually DAO layer contains all the information about contacting with the databases, All the boilerplate code that we were writing removed completely by just an interface(not even implementation).
YES,Just an interface, Dont get confused, How it is implemented is in coming chapters!!
To use a Spring Data JPA,add the following dependency
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
On April 08, 2019 by Kamlesh No comments
One of the main reason of Spring boot huge success is AutoConfiguration, Developers were really exhausted by this xml configuration.
In traditional spring mvc architecture if you wanted just to configure component scan and views, you had to write below shown snippet.
<context:component-scan base-package="com.example.spring.dao"></context:component-scan>
<context:component-scan base-package="com.example.spring.controllers"></context:component-scan>
<context:component-scan base-package="com.example.spring.services"></context:component-scan>
<mvc:annotation-driven/>
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsps/" />
<property name="suffix" value=".jsp" />
</bean>
Now,In spring boot it is just two lines of code that needs to be placed in application.properties.
spring.mvc.view.prefix=/WEB-INF/views/
spring.mvc.view.suffix=.jsp
So What is application.properties?
It is a YAML configuration file placed under src/main/resources folder,it is a human readable key:value format where you place all the configuration like server port,database information,logging systems etc.
Example : For logging properties
logging.level.org.springframework.web=DEBUG
logging.level.org.hibernate=ERROR
For more examples refer spring boot documentation
In traditional spring mvc architecture if you wanted just to configure component scan and views, you had to write below shown snippet.
<context:component-scan base-package="com.example.spring.dao"></context:component-scan>
<context:component-scan base-package="com.example.spring.controllers"></context:component-scan>
<context:component-scan base-package="com.example.spring.services"></context:component-scan>
<mvc:annotation-driven/>
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsps/" />
<property name="suffix" value=".jsp" />
</bean>
Now,In spring boot it is just two lines of code that needs to be placed in application.properties.
spring.mvc.view.prefix=/WEB-INF/views/
spring.mvc.view.suffix=.jsp
So What is application.properties?
It is a YAML configuration file placed under src/main/resources folder,it is a human readable key:value format where you place all the configuration like server port,database information,logging systems etc.
Example : For logging properties
logging.level.org.springframework.web=DEBUG
logging.level.org.hibernate=ERROR
For more examples refer spring boot documentation
On April 08, 2019 by Kamlesh No comments
For traditional spring mvc architecture refer here, We were annotating spring mvc Controller Class with @Controller as shown below
@Controller
public class ViewsController {
@RequestMapping("/view1")
public String showView1(){
return "register";
}
In the above code as we know,when the request is made to ApplicationContext/view1 the resource register file will be returned.
In addition to that,Spring boot supports rest controller as shown below
@RestController
@Produces("application/json")
public class BaseController {
@RequestMapping("/list")
private List getList(){
return Arrays.asList("one","two","three");
}
}
As mentioned above the Annotation @RestController identifies that it needs to produce the content that is mentioned, Here the method getList() returns json as mentioned with annotaion @Produces("application/json").
@Controller
public class ViewsController {
@RequestMapping("/view1")
public String showView1(){
return "register";
}
In the above code as we know,when the request is made to ApplicationContext/view1 the resource register file will be returned.
In addition to that,Spring boot supports rest controller as shown below
@RestController
@Produces("application/json")
public class BaseController {
@RequestMapping("/list")
private List getList(){
return Arrays.asList("one","two","three");
}
}
As mentioned above the Annotation @RestController identifies that it needs to produce the content that is mentioned, Here the method getList() returns json as mentioned with annotaion @Produces("application/json").
Subscribe to:
Posts (Atom)
Search
AdSense
Recent Posts
Popular Posts
-
WLST Script for checking the health status of Weblogic Domain (Admin/Managed node) After long time writing something about WLST WLST...
-
WLST Script for checking the status of JDBC Datasource in Weblogic WLST has some good features like we can monitor the weblogic dom...
-
WLST Script for Monitoring the JMS status of Weblogic Domain After long time writing something about WLST WLST has some good feature...
-
WLST Server Start The server of a WebLogic domain can be started using different techniques. The best setup depends on the technical re...
-
How to Deploy Application using WLST We can use WLST to quickly deploy an Application in a Weblogic Server. Requirement:- · The ...
-
How to create WebLogic Domain using Domain template: 1. Open an existing domain template (assuming WebLogic Server is installed at c:...
-
Basic concepts of WLST. What is WLST? It is a scripting tool offered by Weblogic. Any way WLST is not only for a sense of control,...
-
Hi All, writing something about OPMN utility with oracle instance and Weblogic. WebLogic Server – Weblogic is J2EE application ...
-
Hadoop Distributed Filesystem (HDFS) Built to support high throughput, streaming reads and writes of extremely large files. NAS ...
-
Before diving into this implementation, I would suggest you to look at Spring Security Introduction first. Let's Start Most of the We...
Recent Posts
Sample Text
Blog Archive
-
▼
2019
(13)
-
▼
April
(13)
- Spring MVC vs Spring Boot
- Spring Security With Spring Boot Example
- What is Spring Security?
- Adding your own implementation in JPA
- Crud Operations using Spring Data JPA
- What is Spring Boot JPA?
- YAML and Application.Properties Configuration in S...
- How Controller works in Spring Boot?
- What is Annotation?
- Setting up Spring Boot
- Why Spring Boot?
- What is Spring Boot?
- Spring Boot Tutorials
-
▼
April
(13)
Total Pageviews
Find Us On Facebook
Powered by Blogger.