Spring Security
You can gain the benefit of spring security by implementing the WebSecurityConfigurer or by extending the WebSecurityConfigurerAdapter class.
Also you should annotate that bean class with the @EnableWebSecurity or @EnableWebMvcSecurity.
But for MVC based application its suggested to use @EnableWebMvcSecurity
-It configures the MVC argument resolver.
-It also provide authenticated users principal using the @AuthenticationPrincipal annotated parameters.
-It also adds CSRF(cross site request forgery) token field on the forms with the help of form binding tag libraries.
You can provide configuraion about the security by overriding any of the following three configure() method of WebSecurityConfigurerAdapter class.
1) configure(WebSecurity)
-Override this method to configure the spring security filter chain.
2) configure(HttpSecurity)
-Override to provide security for the request using the interceptors.
3) configure(AuthenticationManagerBuilder)
- Override this method to provide user details services related configuration.
Example:
@Configuration
@EnableWebMvcSecurity
public class AppSecurityConfig extends WebSecurityConfigurerAdapter
{
public void configure(HttpSecurity httpSecurity){
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/login", "/data/**", "/spitter/**")
.permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.and()
.logout()
.clearAuthentication(true)
.permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user")
.password("user")
.roles("USER").and().withUser("admin")
.password("admin")
.roles("USER", "ADMIN");
}
// Instead of above method You can do database related authentication using following code
@Autowired
private DataSource dataSource;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.jdbcAuthentication()
.dataSource(dataSource);
}
}