To have a user in the webapp we had to put it in the session and add login and registration pages. Of course the pages that only worked with a valid user account had to be secured as well.
We used Spring Security for that, writing a simple UserDetailsService that used a repository for looking up the users and validating their credentials. The config is located in a separate applicationContext-security.xml. But first, as always, Maven and web.xml setup.
Example 13.1. pom.xml for spring-security
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.version}</version>
</dependency>
Example 13.2. web.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicatioContext-security.xml
/WEB-INF/applicationContext.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Example 13.3. applicationContext-security.xml
<security:global-method-security secured-annotations="enabled">
</security:global-method-security>
<security:http auto-config="true" access-denied-page="/auth/denied"> <!-- use-expressions="true" -->
<security:intercept-url pattern="/admin/*" access="ROLE_ADMIN"/>
<security:intercept-url pattern="/import/*" access="ROLE_ADMIN"/>
<security:intercept-url pattern="/user/*" access="ROLE_USER"/>
<security:intercept-url pattern="/auth/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/auth/register" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:form-login login-page="/auth/login" authentication-failure-url="/auth/login?login_error=true"
default-target-url="/user"/>
<security:logout logout-url="/auth/logout" logout-success-url="/" invalidate-session="true"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailsService">
<security:password-encoder hash="md5">
<security:salt-source system-wide="cewuiqwzie"/>
</security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<bean id="userDetailsService" class="org.neo4j.movies.service.CineastsUserDetailsService"/>
Example 13.4. UserDetailsService and UserDetails implementation
@Service
public class CineastsUserDetailsService implements UserDetailsService, InitializingBean {
@Autowired private FinderFactory finderFactory;
private NodeFinder<User> userFinder;
@Override
public void afterPropertiesSet() throws Exception {
userFinder = finderFactory.createNodeEntityFinder(User.class);
}
@Override
public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException, DataAccessException {
final User user = findUser(login);
if (user==null) throw new UsernameNotFoundException("Username not found",login);
return new CineastsUserDetails(user);
}
public User findUser(String login) {
return userFinder.findByPropertyValue("users","login",login);
}
public User getUserFromSession() {
SecurityContext context = SecurityContextHolder.getContext();
Authentication authentication = context.getAuthentication();
Object principal = authentication.getPrincipal();
if (principal instanceof CineastsUserDetails) {
CineastsUserDetails userDetails = (CineastsUserDetails) principal;
return userDetails.getUser();
}
return null;
}
}
public class CineastsUserDetails implements UserDetails {
private final User user;
public CineastsUserDetails(User user) {
this.user = user;
}
@Override
public Collection<GrantedAuthority> getAuthorities() {
User.Roles[] roles = user.getRoles();
if (roles ==null) return Collections.emptyList();
return Arrays.<GrantedAuthority>asList(roles);
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getLogin();
}
....
public User getUser() {
return user;
}
}
After that a logged in user was available in the session and could so be used for all the social interactions. Most of the work done next was adding controller methods
and JSPs for the views. We used the helper method getUserFromSession() in the controllers to access the logged in user and put it in the model for rendering.
As a teaser we'd like to show off the user profile page, as it will be rendered after UX heavy lifting.
