Practice Topics

Enviroment Setup

Maven Project Setup

1. Create Maven project with webapp archertype in Esclipse
2. Setup POM file [pom.xml]
   • Change JDK version (Servlet 3.0 require JDK 6+)
   • springframework.version property with spring-webmvc dependency
   • springsecurity.version property with spring-security-web and spring-security-config dependency (must compatible with springframework version, may be different)
   • spring-security-taglabs dependency: access user id and roles in JSP
   • javax.servlet-api, javax.servlet.jsp-api, jstl dependency: support Servlet, JSP and JSTL
   • jaxb-api dependency: compensate for Java 9+ not including jaxb
   • maven-war-plugin plugin (GAV)
   • mysql-connector-java dependency: JDBC driver to connect to database
   • com.mchange.c3p0 dependency: setup database connection pool

Spring MVC Configuration

1. Create Spring MVC Configuration class [AppConfig]
   • @Configuration
   • @EnableWebMvc (<=> <mvc:annotation-driven>)
   • @ComponentScan with basePackages
   • Define a bean for View Resolver
2. Create Spring Dispatcher Servlet Initializer extends AbstractAnnotationConfigDispatcherServletInitializer [SpringMvcInitializer]
   • Configure getServletConfigClasses() returns to Spring MVC Configuration class.
   • Configure getServletMappings() for character separating different parts of a URL, normally /
3. Create Controller class [DemoController]
   • @Controller
   • @RequestMapping, @GetMapping, @PostMapping
4. Create 'view' folder in src/main/webapp/WEB-INF to contain all JSP pages
5. Create JSP page [home.jsp]
6. Run project on server to test Spring MVC

Spring Security Configuration

1. Create Spring Security Initializer extends AbstractSecurityWebApplicationInitializer [SecurityInitializer]
2. Create Spring Security Configuration class extends WebSecurityConfigurerAdapter [SecurityConfig]
   • @Configuration
   • @EnableWebSecurity
   • Override configure(AuthenticationManagerBuilder) to add users for authentication
3. Run project on server to test Spring Security

Database Setup

1. Create database schema and tables (preferred schema for Spring Security) [create-database.sql]
   1. users with usename (PK, varchar), password (varchar), enabled (tinyint)
   2. authorities with username (FK, UNI, varchar), authority (UNI, varchar) with ROLE_ prefix
2. Create JDBC properties file in src/main/resources (to inject the properties in Configuration files later, not hard-coding) [persistence-mysql.properties]
3. Define DataSource in Spring MVC Configuration with @PropertySource [AppConfig]
   1. Inject Enviroment to hold data properties with @AutoWired
   2. Define DataSource object bean
      • Create connection pool
      • Set the JDBC driver
      • Set database connection properties
      • Set connection pool properties
4. Update Spring Security Configuration to use JDBC [SecurityConfig]
   1. Inject DataSource with @AutoWired
   2. auth.jdbcAuthentication().dataSource(<data source>)

---

Custom Login Form

1. Modify Spring Security Configuration to reference custom login form by overriding configure(HttpSecurity). [SecurityConfig]
2. Create a controller request returning to the custom login form [LoginController]
3. Create customer login form [login-page.jsp]
   • Spring MVC form tag: <%@ taglib prefix="form" uri="http://www.springframework.org/tags/form"%> (to post username and password to the Authentication)
   • JSTL: <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> (to get the error message)
4. Add logout function
   1. Add logout support to Spring Security Configuration [SecurityConfig]
   2. Add logout button to JSP page [home.jsp]
   3. Update login form to display logout message [styled-login-page.jsp]

---

User Security

1. Display user info [home.jsp]
   • Spring Security JSP Tag Library: <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags"%>
   • Display user name: <security:authentication property="principal.username"/>
   • Display user roles: <security:authentication property="principal.authorities"/>
2. Restrict access based on roles: antMatchers(<path>).hasRole(<role>) [SecurityConfig]
3. Custom Access Denied Page
   1. Configure page path in Security Configuration file with exceptionHandling().accessDeniedPage(<path>) [SecurityConfig]
   2. Create supporting controller code and JSP page [access-denied.jsp] [LoginController]
   • [!] Internal browser of Eclipse does not display Custom Access Denied Page
4. Display content based on Roles: <security:authorize access="hasRole('<role>')"> [home.jsp]

---

Notes - Tips

• 📌 [Maven] If src/main/java and src/test/java are not availalbe, go to Build Path -> Order and Export -> Choose JRE and Maven Dependencies.
• 📌 [Esclipse] Select override method: Right click -> Source (Alt+Shift+S) -> Override methods
• 📌 [Server] Change Context Root (Context Path) to resolve duplicate name app on the server: Properties -> Web Project Settings.
• ℹ️ [JSP] <form:from> automatically adds CSRF tokens
• ℹ️ [Spring Security] Password formats in Spring Security 5:
  • noop: plain text
  • bcrypt: BCrypt hashing, 60 characters (prefer)
• ℹ️ [Maven] Resources in src/main/resources will be automatically copied to classpath during Maven build
• 📌 [Server] Project properties (Alt+Enter) -> Project facets -> Runtimes: Tomcat
• 📌 [Maven] Update Maven project (Alt+F5)
• 📌 [Maven] Change Servlet 2.3 (generated by archertype webapp) to Servlet 3.0, to use ${pageContext.request.contextPath}
  • Modify web.xml
  • Close project and delete it from the workspace (don't delete files on the disk)
  • Delete .project and .classpath files and .settings directory from the project folder
  • Re-import project: Import -> Existing Maven Project
  • Clean the server

Extra References

• Customize AuthenticationFailureHandler by Java [URL]
• Implement "Remember me" function [URL]

---

Go to top