Posts Tagged ‘web security’

Tracking logged in user’s using spring-security and HttpSessionListener in java web application

Thursday, February 19th, 2009

If you haven’t already, please first read my article on configuring spring security and after that the article on writing a custom AuthenticationprocessingFilter. It is imperative that you know how to do both before you continue.

We always want to know who is on our website, how many users are logged in and how many visitors are present. Not only is the information useful, it also looks good. :) I tried looking for pluggable solutions to track users but couldn’t find any. Having implemented spring security in a few web apps, I decided to see if there was an easy way to do this. (more…)

Tags: , , ,
Posted in Spring Security | 14 Comments »

Custom AuthenticationProcessingFilter for spring security to perform actions on login

Monday, February 16th, 2009

Question like this one popup on the spring security forum all the time. The question is almost always the same. The system must perform some custom action after a user logs in or out of the system. And almost always this action has to be performed on the session like setting an attribute or removing one. Sometimes user’s also want to put their own User object in the session for later use in the application. All these actions can be performed by writing a custom AuthenticationProcessingFilter and replacing the default instance on the filter chain with your implementation.

Before I show you how to write your very own filter, (more…)

Tags: , ,
Posted in Spring Security | 20 Comments »

Automatically redirecting all requests to SSL in web application

Wednesday, February 11th, 2009

More often than not you are required to secure your login pages and certain admin resources using secured socket layer (SSL) or TLS. This can be quite a task if you go around manually redirecting all your http requests to https and then configuring your server. Whats worse is that another team member may forget to secure certain resources thereby exposing them through “un-safe” means.

The best way to secure such resources is to use the (more…)

Tags: , ,
Posted in Tips & Tricks | No Comments »

Writing custom UserDetailsService for spring security

Wednesday, February 11th, 2009

I wish spring security would work on their documentation and tell people how easy it is to implement a custom service for loading user details. You don’t HAVE to use JDBC to do that, you can write your very own hibernate, toplink or whatever DAO to do just that. It’s important to realise that spring-security does not send your password to the database ever. Instead it loads a user’s details and then compares it’s password internally before validating the user and granting it access to internal pages. (more…)

Tags: , , , ,
Posted in Spring Security | 11 Comments »

Spring security login and logout form

Monday, February 9th, 2009

So I managed to configure spring security in my last article here but what do I do now. How do I create the login form, login.jsp for my users to authenticate from. I searched around and found a few articles but none that listed out the login page. Then I looked in the spring-security distribution (more…)

Tags: , , ,
Posted in Spring Security | 7 Comments »