How to move username/passwords out of spring-security-context.xml?
I am using Spring Security in one of my project. The web-app requires the user to login. Hence I have added few usernames and passwords in the spring-security-context.xml fi
-
This works for me for Spring security authentication and authorization using Properties file:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd"> <mvc:annotation-driven /> <bean id="webPropertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> <property name="ignoreResourceNotFound" value="true" /> <property name="ignoreUnresolvablePlaceholders" value="true" /> <property name="locations"> <list> <value>classpath:abc.properties</value> </list> </property> </bean> <bean class="org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor" /> <security:http auto-config="true" use-expressions="true"> <security:intercept-url pattern="/stat/login" access="permitAll"/> <security:intercept-url pattern="/stat/summary" access="hasRole('ROLE_ADMIN')" /> <security:form-login login-page="/stat/login" default-target-url="/stat/summary" authentication-failure-url="/stat/loginError" /> </security:http> <!-- Username and password used from xml --> <!-- <security:authentication-manager> <security:authentication-provider> <security:user-service> <security:user name="xyz" password="xyz" authorities="ROLE_ADMIN" /> </security:user-service> </security:authentication-provider> </security:authentication-manager> --> <security:authentication-manager> <security:authentication-provider> <security:user-service> <security:user name="${stat.user}" password="${stat.pwd}" authorities="ROLE_ADMIN" /> </security:user-service> </security:authentication-provider> </security:authentication-manager> </beans>The
abc.propertiesfile:stat.user=xyz stat.pwd=xyzThe
web.xmlentry for spring-security implementation:<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>讨论(0) -
You can store the usernames and passwords in a separate .properties file.
<user-service id="userDetailsService" properties="users.properties"/>users.properties should have the following format:
jimi=jimispassword,ROLE_USER,ROLE_ADMIN,enabled bob=bobspassword,ROLE_USER,enabledIf you want to store it in a database, I would recommend you to read this article: http://www.mkyong.com/spring-security/spring-security-form-login-using-database/
Reference: Spring Security In-Memory Authentication
讨论(0) -
I have tried the suggested ways lastly I did the following seemed to work nicely
Added these changes in your web xml
<filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <servlet-mapping> <servlet-name>service</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>Add these changes in your spring-security xml
<security:authentication-manager alias="authenticationManager"> <security:authentication-provider> <security:user-service> <security:user name="${resource.service.authentication.name}" authorities="${resource.service.authentication.authorities}" password="${resource.service.authentication.password}"/> </security:user-service> </security:authentication-provider> </security:authentication-manager>Add these changes into your application context xml or if you have property-loader xml even better
<bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> <property name="placeholderPrefix" value="${" /> <property name="placeholderSuffix" value="}" /> <property name="locations"> <list> <value>classpath:resourceservice.properties</value> </list> </property> </bean>Then Add these changes in your property file resourceservice.properties
memberservice.authentication.name=usename memberservice.authentication.authorities=AUTHORISED memberservice.authentication.password=passwordAdd these changes in you resource that uses Jersey
@PUT @Path("{accountId}") @Consumes("application/xml") @PreAuthorize("hasRole('AUTHORISED')") public Response methodName讨论(0) -
You can use the
PropertyPlaceholderConfigurer- put them in properties file and then reference them using EL:http://static.springsource.org/spring/docs/3.1.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconfigurer
讨论(0) -
You can find a way to move them to a database or LDAP. Spring Security surely supports both.
讨论(0) -
You can simply add Bean inside your Spring Security Configuration :
@Bean public UserDetailsService userDetailsService() { Properties users = PropertiesLoaderUtils.loadAllProperties("users.properties"); return new InMemoryUserDetailsManager(users); }and users.properties looks like :
admin={noop}password,ROLE_USER,ROLE_ADMIN,enabled bob={noop}password,ROLE_USER,enabled 123={noop}123,ROLE_USER,enabled讨论(0)
加载中...
- 热议问题