tags | projects | ||||
---|---|---|---|---|---|
|
|
This guide walks you through the process creating an application and securing it with the Spring Security LDAP module.
You’ll build a simple web application that is secured by Spring Security’s embedded Java-based LDAP server. You’ll load the LDAP server with a data file containing a set of users.
In Spring, REST endpoints are just Spring MVC controllers. The following Spring MVC controller handles a GET /
request by returning a simple message:
src/main/java/hello/HomeController.java
link:complete/src/main/java/hello/HomeController.java[role=include]
The entire class is marked up with @RestController
so Spring MVC can autodetect the controller using it’s built-in scanning features and automatically configure web routes.
The method is tagged with @RequestMapping
to flag the path and the REST action. In this case, GET
is the default behavior; it returns a message indicating that you are on the home page.
@RestController
also tells Spring MVC to write the text directly into the HTTP response body, because there aren’t any views. Instead, when you visit the page, you’ll get a simple message in the browser as the focus of this guide is securing the page with LDAP.
Before you secure the web application, verify that it works. To do that, you need to define some key beans. To do that, create an Application
class.
src/main/java/hello/Application.java
link:initial/src/main/java/hello/Application.java[role=include]
@SpringBootApplication
is a convenience annotation that adds all of the following:
-
@Configuration
tags the class as a source of bean definitions for the application context. -
@EnableAutoConfiguration
tells Spring Boot to start adding beans based on classpath settings, other beans, and various property settings. -
Normally you would add
@EnableWebMvc
for a Spring MVC app, but Spring Boot adds it automatically when it sees spring-webmvc on the classpath. This flags the application as a web application and activates key behaviors such as setting up aDispatcherServlet
. -
@ComponentScan
tells Spring to look for other components, configurations, and services in the thehello
package, allowing it to find theHelloController
.
The main()
method uses Spring Boot’s SpringApplication.run()
method to launch an application. Did you notice that there wasn’t a single line of XML? No web.xml file either. This web application is 100% pure Java and you didn’t have to deal with configuring any plumbing or infrastructure.
https://raw.githubusercontent.com/spring-guides/getting-started-macros/master/build_an_executable_jar_subhead.adoc https://raw.githubusercontent.com/spring-guides/getting-started-macros/master/build_an_executable_jar_with_both.adoc
If you open your browser and visit http://localhost:8080, you should see the following plain text:
Welcome to the home page!
To configure Spring Security, you first need to add some extra dependencies to your build.
For a Gradle-based build:
build.gradle
link:complete/build.gradle[role=include]
Note
|
Due to a artifact resolution issue with Gradle, spring-tx must be pulled in or Gradle will fetch an older one that doesn’t work. |
For a Maven-based build:
pom.xml
link:complete/pom.xml[role=include]
These dependencies add Spring Security and ApacheDS, an open source LDAP server. With that in place, you can then use pure Java to configure your security policy.
src/main/java/hello/WebSecurityConfig.java
link:complete/src/main/java/hello/WebSecurityConfig.java[role=include]
The @EnableWebSecurity
turns on a variety of beans needed to use Spring Security.
You also need an LDAP server. Spring Security’s LDAP module includes an embedded server written in pure Java, which is being used for this guide. The ldapAuthentication()
method configures things where the username at the login form is plugged into {0}
such that it searches uid={0},ou=people,dc=springframework,dc=org
in the LDAP server.
LDAP servers can use LDIF (LDAP Data Interchange Format) files to exchange user data. The ldif()
method inside WebSecurityConfig
pulls in an LDIF data file. This makes it easy to pre-load demonstration data.
src/main/resources/test-server.ldif
link:complete/src/main/resources/test-server.ldif[role=include]
Note
|
Using an LDIF file isn’t standard configuration for a production system. However, it’s very useful for testing purposes or guides. |
src/main/java/hello/Application.java
link:complete/src/main/java/hello/Application.java[role=include]
@SpringBootApplication
is a convenience annotation that adds all of the following:
-
@Configuration
tags the class as a source of bean definitions for the application context. -
@EnableAutoConfiguration
tells Spring Boot to start adding beans based on classpath settings, other beans, and various property settings. -
Normally you would add
@EnableWebMvc
for a Spring MVC app, but Spring Boot adds it automatically when it sees spring-webmvc on the classpath. This flags the application as a web application and activates key behaviors such as setting up aDispatcherServlet
. -
@ComponentScan
tells Spring to look for other components, configurations, and services in the thehello
package, allowing it to find theHelloController
.
The main()
method uses Spring Boot’s SpringApplication.run()
method to launch an application. Did you notice that there wasn’t a single line of XML? No web.xml file either. This web application is 100% pure Java and you didn’t have to deal with configuring any plumbing or infrastructure.
https://raw.githubusercontent.com/spring-guides/getting-started-macros/master/build_an_executable_jar_subhead.adoc https://raw.githubusercontent.com/spring-guides/getting-started-macros/master/build_an_executable_jar_with_both.adoc
If you visit the site at http://localhost:8080, you should be redirected to a login page provided by Spring Security.
Enter username ben and password benspassword. You should see this message in your browser:
Welcome to the home page!
Congratulations! You have just written a web application and secured it with Spring Security. In this case, you used an LDAP-based user store.