Thus, it should be of no surprise that we are now bringing Spring’s Security module<\/a> into play. As the official site states, Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications<\/span>. Spring Security is the evolution of the Acegi framework which used Spring under the hood in order to provide security mainly to web applications. However, Spring Security is now a full-blown security framework, incorporating functionality not only for the web, but also for LDAP<\/a> integration and ACL<\/a>s creation. Before getting started with this tutorial, it would be nice to take a look at the Spring Security Reference Documentation<\/a> and having at hand the Spring Security API Javadocs<\/a>.<\/p>\n For this tutorial I will be using GWT 2.1.0 and Spring Security 3.0.5. You can download the latest production release here<\/a>. As you might have guessed, some libraries from the core Spring framework will also be needed. You can download the framework here<\/a>.<\/p>\n Let’s get started by creating a new Web Application project in Eclipse (I suppose you have already installed the Google plugin for Eclipse and that you also have GWT deployed). I chose the profound name \u201cGwtSpringSecurityProject\u201d for the project’s name. Here what the Eclipse screen will look like:<\/p>\n The first step for adding Spring security to our project is declaring a filter in our \u201cweb.xml\u201d file. This filter, which is an instance of the FilterChainProxy<\/a> class, will intercept all incoming requests and delegate the request’s control to the appropriate Spring handler. The relevant web declaration file snippet is the following:<\/p>\n We also have to define a ContextLoaderListener in our \u201cweb.xml\u201d in order to bootstrap the Spring context. This is done via the following snippet:<\/p>\n Next we create a file named \u201capplicationContext.xml\u201d inside the \u201cwar\/WEB-INF\u201d folder. There we declare the spring security related information. The most important element is the \u201chttp<\/a>\u201d, which can be used to define on which URLs should security be applied, as well as what roles should the users have in order to access particular resources. In our case, the snippet is the following:<\/p>\n In short, the above states that role \u201cROLE_USER\u201d is required in order to gain access to the files under the \u201cgwt\u201d and the \u201cgwtspringsecurityproject\u201d folders (where the GWT related resources reside). Similarly, all HTML files (like GWT’s entrypoint) require the same role. The \u201cIS_AUTHENTICATED_ANONYMOUSLY\u201d means that all users can access the particular resource, without having to be part of a specific role. With this simple usage of the \u201chttp<\/a>\u201d element, the default login page and logout URL will be used by Spring.<\/p>\n All the authentication requests are handled by an AuthenticationManager<\/a>, so an instance of that has to be declare in our file. More specifically, the requests are usually delegated to an AuthenticationProvider<\/a>. Some already created implementations can be used, such as the DaoAuthenticationProvider<\/a> (when working with roles and users defined in a DB) or the LdapAuthenticationProvider<\/a> (which authenticates users against an LDAP server). For the purposes of this tutorial however, we are going to create a custom authentication provider and integrate it with spring’s security infrastructure.<\/p>\n Before we delve into the application’s code, we have to take care of dependencies first. Here are the JARs that have to be added to the project’s classpath:<\/p>\n Ok, now we are ready. Our provider is quite plain and just uses a static Map in order to store users and their corresponding password. Here is the code:<\/p>\n Let’s begin the elaboration on that code from the end. The supports<\/a> method defines the kind of authentication that this provider provides. In our case, the UsernamePasswordAuthenticationToken<\/a> is the one we wish to handle. That implementation is designed for simple presentation of a username and password. The authenticate<\/a> method is implemented and inside that we retrieve the username provided in the login form (via the getPrincipal<\/a> method) as well as the accompanying password (via the getCredentials<\/a> method). First, we check if the specific username exists and if not, a UsernameNotFoundException<\/a> is thrown. Similarly, if the username exists but the password is incorrect, a BadCredentialsException<\/a> is thrown. Note that both theses exceptions extend the parent AuthenticationException<\/a> class.<\/p>\n If both the username and the password are correct, we are in place to authenticate the user. In order to do so, we have to return a concrete instance of the Authentication<\/a> interface. In that, we have to encapsulate the already known user information (credentials etc.) as well as the roles (authorities) that the user has. Note that the assigned role (ROLE_USER) matches the one declared in the \u201capplicationContext.xml\u201d file. In addition, the setAuthenticated<\/a> method has to be invoked (with true as argument) in order to indicate to the rest of the authentication chain that the specific user was successfully authenticated by our module. Let’s see how the custom authentication object is defined in our case:<\/p>\n In the constructor, we pass the user’s role and the original Authentication<\/a> object. In the implemented methods, the most important one is the getAuthorities<\/a>, which returns the authorities that the principal has been granted. That information is provided inside a collection of GrantedAuthority<\/a> objects.<\/p>\n Let’s see now how the \u201capplicationContext.xml\u201d looks like:<\/p>\n Every element of the declaration file has been defined except for the \u201cCustomAuthListener\u201d. Being part of the Spring framework, Spring Security allows the application developer to provide callbacks which will be invoked on specific parts of the application’s lifecycle. Thus, we can register our methods to be called when specific authentication events occur. In our case, we will create a listener that receives AbstractAuthorizationEvent<\/a>s, i.e. all security interception related events. Let’s see how this is accomplished:<\/p>\n In our implementation, we just log all successful and unsuccessful authentication events (based on the LoggerListener<\/a> class) but it is obviously quite straightforward to provide your own business logic here.<\/p>\n Finally, we will create a GWT asynchronous server side service that will provide the client with information regarding the user and the username that he has logged in with. If you have the tiniest experience with GWT, you will not have any problems understanding the code. Here are the two interfaces and the concrete implementation of the service:<\/p>\n AuthService<\/p>\n AuthServiceAsync<\/p>\n AuthServiceImpl<\/p>\n The code is very simple. We use the SecurityContextHolder<\/a> class to retrieve the current SecurityContext<\/a> and then the getAuthentication<\/a> method in order to take reference of the underlying Authentication<\/a> object. From that, we retrieve the username, if any, via the getPrincipal<\/a> method.<\/p>\n Of course, we have to declare the specific servlet in our application \u201cweb.xml\u201d file. Here it is:<\/p>\n And here is the whole web declaration file:<\/p>\n Let’s see how this service is used inside the application’s entry point. We add the following code snippet just before the end of the onModuleLoad<\/a> method:<\/p>\n A last step before launching our application is to take care of the runtime dependencies. Spring requires a bunch of libraries in order to do its DI magic, so here is the list of the JARs that have to be present inside your \u201cwar\/WEB-INF\/lib\u201d folder:<\/p>\n After copying all of the above, launch the Eclipse project configuration and try to access the default URL: The request will be intercepted by Spring Security and you will be presented with a default login page. Provide the valid credentials as below:<\/p>\n Submit the form data and you will be redirected to the original URL. Notice that the text field will be populated with the username used to log in.<\/p>\n Return to your Eclipse Console view and check out the various logs printed there. You should see something like the following:<\/p>\n That’s all folks. You can find here<\/a> the Eclipse project created. Have fun!<\/p>\n In this tutorial we will see how to integrate GWT with Spring’s security module, i.e. Spring Security. We will see how to protect the GWT entrypoint, how to retrieve the user’s credentials and how to log the various authentication events. Moreover, we are going to implement a custom authentication provider so that existing authentication schemes …<\/p>\n","protected":false},"author":3,"featured_media":242,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[27,30,125],"class_list":["post-335","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-enterprise-java","tag-google-gwt","tag-spring","tag-spring-security"],"yoast_head":"\n![\"\"](\"http:\/\/3.bp.blogspot.com\/_piNjpdpJZXA\/TQnRHALXN1I\/AAAAAAAAAOI\/7r0uw9U3FdY\/s320\/01-gwt-spring-security-project.png\")
<\/a><\/p>\n\u2026\r\n<filter>\r\n <filter-name>springSecurityFilterChain<\/filter-name>\r\n <filter-class>org.springframework.web.filter.DelegatingFilterProxy<\/filter-class>\r\n<\/filter>\r\n\r\n<filter-mapping>\r\n <filter-name>springSecurityFilterChain<\/filter-name>\r\n <url-pattern>\/*<\/url-pattern>\r\n<\/filter-mapping>\r\n...\r\n<\/pre>\n
\u2026\r\n <listener>\r\n <listener-class>org.springframework.web.context.ContextLoaderListener<\/listener-class>\r\n <\/listener>\r\n...\r\n<\/pre>\n
\u2026\r\n<http auto-config=\"true\">\r\n <intercept-url pattern=\"\/gwtspringsecurityproject\/**\" access=\"ROLE_USER\"\/>\r\n <intercept-url pattern=\"\/gwt\/**\" access=\"ROLE_USER\"\/>\r\n <intercept-url pattern=\"\/**\/*.html\" access=\"ROLE_USER\"\/>\r\n <intercept-url pattern=\"\/**\" access=\"IS_AUTHENTICATED_ANONYMOUSLY\" \/>\r\n<\/http>\r\n...\r\n<\/pre>\n
\n
package com.javacodegeeks.gwt.security.server.auth;\r\n\r\nimport java.util.HashMap;\r\nimport java.util.Map;\r\n\r\nimport org.springframework.security.authentication.AuthenticationProvider;\r\nimport org.springframework.security.authentication.BadCredentialsException;\r\nimport org.springframework.security.authentication.UsernamePasswordAuthenticationToken;\r\nimport org.springframework.security.core.Authentication;\r\nimport org.springframework.security.core.AuthenticationException;\r\nimport org.springframework.security.core.userdetails.UsernameNotFoundException;\r\n\r\npublic class CustomAuthenticationProvider implements AuthenticationProvider {\r\n \r\n private static Map<String, String> users = new HashMap<String, String>();\r\n \r\n static {\r\n users.put(\"fabrizio\", \"javacodegeeks\");\r\n users.put(\"justin\", \"javacodegeeks\");\r\n }\r\n\r\n @Override\r\n public Authentication authenticate(Authentication authentication) \r\n throws AuthenticationException {\r\n \r\n String username = (String) authentication.getPrincipal();\r\n String password = (String)authentication.getCredentials();\r\n \r\n if (users.get(username)==null)\r\n throw new UsernameNotFoundException(\"User not found\");\r\n \r\n String storedPass = users.get(username);\r\n \r\n if (!storedPass.equals(password))\r\n throw new BadCredentialsException(\"Invalid password\");\r\n \r\n Authentication customAuthentication = \r\n new CustomUserAuthentication(\"ROLE_USER\", authentication);\r\n customAuthentication.setAuthenticated(true);\r\n \r\n return customAuthentication;\r\n \r\n }\r\n\r\n @Override\r\n public boolean supports(Class<? extends Object> authentication) {\r\n return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);\r\n }\r\n\r\n}\r\n<\/pre>\npackage com.javacodegeeks.gwt.security.server.auth;\r\n\r\nimport java.util.ArrayList;\r\nimport java.util.Collection;\r\n\r\nimport org.springframework.security.core.Authentication;\r\nimport org.springframework.security.core.GrantedAuthority;\r\nimport org.springframework.security.core.authority.GrantedAuthorityImpl;\r\n\r\npublic class CustomUserAuthentication implements Authentication {\r\n \r\n private static final long serialVersionUID = -3091441742758356129L;\r\n \r\n private boolean authenticated;\r\n \r\n private GrantedAuthority grantedAuthority;\r\n private Authentication authentication;\r\n \r\n public CustomUserAuthentication(String role, Authentication authentication) {\r\n this.grantedAuthority = new GrantedAuthorityImpl(role);\r\n this.authentication = authentication;\r\n }\r\n\r\n @Override\r\n public Collection<GrantedAuthority> getAuthorities() {\r\n Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();\r\n authorities.add(grantedAuthority);\r\n return authorities;\r\n }\r\n\r\n @Override\r\n public Object getCredentials() {\r\n return authentication.getCredentials();\r\n }\r\n\r\n @Override\r\n public Object getDetails() {\r\n return authentication.getDetails();\r\n }\r\n\r\n @Override\r\n public Object getPrincipal() {\r\n return authentication.getPrincipal();\r\n }\r\n\r\n @Override\r\n public boolean isAuthenticated() {\r\n return authenticated;\r\n }\r\n\r\n @Override\r\n public void setAuthenticated(boolean authenticated) throws IllegalArgumentException {\r\n this.authenticated = authenticated;\r\n }\r\n\r\n @Override\r\n public String getName() {\r\n return this.getClass().getSimpleName();\r\n }\r\n\r\n}\r\n<\/pre>\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n\r\n<beans:beans xmlns=\"http:\/\/www.springframework.org\/schema\/security\"\r\n xmlns:beans=\"http:\/\/www.springframework.org\/schema\/beans\"\r\n xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n xsi:schemaLocation=\"http:\/\/www.springframework.org\/schema\/beans http:\/\/www.springframework.org\/schema\/beans\/spring-beans-3.0.xsd\r\n http:\/\/www.springframework.org\/schema\/security http:\/\/www.springframework.org\/schema\/security\/spring-security-3.0.xsd\">\r\n\r\n <beans:bean id=\"customAuthListener\" class=\"com.javacodegeeks.gwt.security.server.auth.CustomAuthListener\"\/>\r\n\r\n <http auto-config=\"true\">\r\n <intercept-url pattern=\"\/gwtspringsecurityproject\/**\" access=\"ROLE_USER\"\/>\r\n <intercept-url pattern=\"\/gwt\/**\" access=\"ROLE_USER\"\/>\r\n <intercept-url pattern=\"\/**\/*.html\" access=\"ROLE_USER\"\/>\r\n <intercept-url pattern=\"\/**\" access=\"IS_AUTHENTICATED_ANONYMOUSLY\" \/>\r\n <\/http>\r\n \r\n <beans:bean id=\"customAuthenticationProvider\" class=\"com.javacodegeeks.gwt.security.server.auth.CustomAuthenticationProvider\" \/> \r\n \r\n <authentication-manager alias=\"authenticationManager\">\r\n <authentication-provider ref=\"customAuthenticationProvider\"\/>\r\n <\/authentication-manager>\r\n \r\n<\/beans:beans>\r\n<\/pre>\n
package com.javacodegeeks.gwt.security.server.auth;\r\n\r\nimport org.apache.commons.logging.Log;\r\nimport org.apache.commons.logging.LogFactory;\r\nimport org.springframework.context.ApplicationListener;\r\nimport org.springframework.security.authentication.event.AbstractAuthenticationEvent;\r\nimport org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent;\r\n\r\npublic class CustomAuthListener implements ApplicationListener<AbstractAuthenticationEvent> {\r\n \r\n private static final Log logger = LogFactory.getLog(CustomAuthListener.class);\r\n\r\n @Override\r\n public void onApplicationEvent(AbstractAuthenticationEvent event) {\r\n \r\n final StringBuilder builder = new StringBuilder();\r\n builder.append(\"Authentication event \");\r\n builder.append(event.getClass().getSimpleName());\r\n builder.append(\": \");\r\n builder.append(event.getAuthentication().getName());\r\n builder.append(\"; details: \");\r\n builder.append(event.getAuthentication().getDetails());\r\n\r\n if (event instanceof AbstractAuthenticationFailureEvent) {\r\n builder.append(\"; exception: \");\r\n builder.append(((AbstractAuthenticationFailureEvent) event).getException().getMessage());\r\n }\r\n\r\n logger.warn(builder.toString());\r\n\r\n }\r\n\r\n}\r\n<\/pre>\npackage com.javacodegeeks.gwt.security.client;\r\n\r\nimport com.google.gwt.user.client.rpc.RemoteService;\r\nimport com.google.gwt.user.client.rpc.RemoteServiceRelativePath;\r\n\r\n\/**\r\n * The client side stub for the RPC service.\r\n *\/\r\n@RemoteServiceRelativePath(\"auth\")\r\npublic interface AuthService extends RemoteService {\r\n String retrieveUsername();\r\n}\r\n<\/pre>\npackage com.javacodegeeks.gwt.security.client;\r\n\r\nimport com.google.gwt.user.client.rpc.AsyncCallback;\r\n\r\n\/**\r\n * The async counterpart of <code>AuthService<\/code>.\r\n *\/\r\npublic interface AuthServiceAsync {\r\n void retrieveUsername(AsyncCallback<String> callback);\r\n}\r\n<\/pre>\npackage com.javacodegeeks.gwt.security.server;\r\n\r\nimport org.springframework.security.core.Authentication;\r\nimport org.springframework.security.core.context.SecurityContextHolder;\r\n\r\nimport com.google.gwt.user.server.rpc.RemoteServiceServlet;\r\nimport com.javacodegeeks.gwt.security.client.AuthService;\r\n\r\n@SuppressWarnings(\"serial\")\r\npublic class AuthServiceImpl extends RemoteServiceServlet implements AuthService {\r\n\r\n @Override\r\n public String retrieveUsername() {\r\n \r\n Authentication authentication =\r\n SecurityContextHolder.getContext().getAuthentication();\r\n \r\n if (authentication==null){\r\n System.out.println(\"Not logged in\");\r\n return null;\r\n }\r\n else {\r\n return (String) authentication.getPrincipal();\r\n }\r\n \r\n }\r\n \r\n}\r\n<\/pre>\n... \r\n<servlet>\r\n <servlet-name>authServlet<\/servlet-name>\r\n <servlet-class>com.javacodegeeks.gwt.security.server.AuthServiceImpl<\/servlet-class>\r\n<\/servlet>\r\n\r\n<servlet-mapping>\r\n <servlet-name>authServlet<\/servlet-name>\r\n <url-pattern>\/gwtspringsecurityproject\/auth<\/url-pattern>\r\n<\/servlet-mapping>\r\n...\r\n<\/pre>\n
<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<!DOCTYPE web-app\r\n PUBLIC \"-\/\/Sun Microsystems, Inc.\/\/DTD Web Application 2.3\/\/EN\"\r\n \"http:\/\/java.sun.com\/dtd\/web-app_2_3.dtd\">\r\n\r\n<web-app>\r\n\r\n <filter>\r\n <filter-name>springSecurityFilterChain<\/filter-name>\r\n <filter-class>org.springframework.web.filter.DelegatingFilterProxy<\/filter-class>\r\n <\/filter>\r\n\r\n <filter-mapping>\r\n <filter-name>springSecurityFilterChain<\/filter-name>\r\n <url-pattern>\/*<\/url-pattern>\r\n <\/filter-mapping>\r\n \r\n <listener>\r\n <listener-class>org.springframework.web.context.ContextLoaderListener<\/listener-class>\r\n <\/listener>\r\n\r\n <!-- Servlets -->\r\n <servlet>\r\n <servlet-name>greetServlet<\/servlet-name>\r\n <servlet-class>\r\n com.javacodegeeks.gwt.security.server.GreetingServiceImpl\r\n <\/servlet-class>\r\n <\/servlet>\r\n\r\n <servlet-mapping>\r\n <servlet-name>greetServlet<\/servlet-name>\r\n <url-pattern>\/gwtspringsecurityproject\/greet<\/url-pattern>\r\n <\/servlet-mapping>\r\n \r\n <servlet>\r\n <servlet-name>authServlet<\/servlet-name>\r\n <servlet-class>com.javacodegeeks.gwt.security.server.AuthServiceImpl<\/servlet-class>\r\n <\/servlet>\r\n\r\n <servlet-mapping>\r\n <servlet-name>authServlet<\/servlet-name>\r\n <url-pattern>\/gwtspringsecurityproject\/auth<\/url-pattern>\r\n <\/servlet-mapping>\r\n\r\n <!-- Default page to serve -->\r\n <welcome-file-list>\r\n <welcome-file>GwtSpringSecurityProject.html<\/welcome-file>\r\n <\/welcome-file-list>\r\n\r\n<\/web-app>\r\n<\/pre>\n
authService.retrieveUsername(\r\n new AsyncCallback<String>() {\r\n public void onFailure(Throwable caught) {\r\n dialogBox.setText(\"Remote Procedure Call - Failure\");\r\n }\r\n public void onSuccess(String result) {\r\n nameField.setText(result);\r\n }\r\n }\r\n);\r\n<\/pre>\n\n
\n
\nhttp:\/\/127.0.0.1:8888\/GwtSpringSecurityProject.html?gwt.codesvr=127.0.0.1:9997<\/a><\/p>\n![\"\"](\"http:\/\/4.bp.blogspot.com\/_piNjpdpJZXA\/TQnTLry2M6I\/AAAAAAAAAOQ\/KrfAwIkO64g\/s320\/02-login-screen.png\")
<\/a><\/p>\n![\"\"](\"http:\/\/1.bp.blogspot.com\/_piNjpdpJZXA\/TQnTVUDMtKI\/AAAAAAAAAOY\/RKoAZheZxhs\/s320\/03-gwt-main-page.png\")
<\/a><\/p>\n
\n12 Dec 2010 8:45:49 PM com.javacodegeeks.gwt.security.server.auth.CustomAuthListener onApplicationEvent
\nWARNING: Authentication event AuthenticationSuccessEvent: CustomUserAuthentication; details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: im1fdjvdu7yw
\n12 Dec 2010 8:45:49 PM com.javacodegeeks.gwt.security.server.auth.CustomAuthListener onApplicationEvent
\nWARNING: Authentication event InteractiveAuthenticationSuccessEvent: CustomUserAuthentication; details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: im1fdjvdu7yw<\/span><\/p>\n\n